@Heinrich_Pelser SCCM 2012 R2 Firewall Compliance Settings
I recently needed to create a nice and easy way to check what state of the Windows Firewall settings on devices. This is very straightforward when you use Compliance Settings in SCCM 2012 R2. In this scenario it was fairly easy as we needed to check if the firewall was on and to see if the connected profile in Windows Firewall is enabled or disabled.
In this post I’ll show you how I did this.
So, step 1 is to create a configuration item. This is used to define a configuration that we want to validate. Basically, the “stuff” we want to confirm is either on or off. We will need to create a single Configuration Item and once we are done creating it, associate it with a Configuration Baseline. But first you will the script below you can also find it here on MSDN. This is the script that I stared with and working with a colleague he made a few changes and we ended up with the script below. So copy this to notepad and save it as a .vbs file.
Const NET_FW_PROFILE2_DOMAIN = 1
Const NET_FW_PROFILE2_PRIVATE = 2
Const NET_FW_PROFILE2_PUBLIC = 4
Const NET_FW_ACTION_BLOCK = 0
Const NET_FW_ACTION_ALLOW = 1
Set fwPolicy2 = CreateObject(“HNetCfg.FwPolicy2”)
CurrentProfiles = fwPolicy2.CurrentProfileTypes
strWFStatus = “False”
If ( CurrentProfiles AND NET_FW_PROFILE2_DOMAIN ) Then
If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_DOMAIN) = TRUE Then
strWFStatus = “True”
If ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE ) Then
If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PRIVATE) = TRUE Then
strWFStatus = “True”
If ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC ) Then
If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PUBLIC) = TRUE Then
strWFStatus = “True”
2. So once you have your script saved (as a .vbs script file) open the SCCM console and navigate to Assets and Compliance.
3. Expand compliance Settings, right click on Configuration Items and select Create Configuration Item.
4. Next please give it a name and click Next.
5. Next please select the operating systems where the you want to check compliance on the Supported Platforms page and click Next.
6. Now click the New button on the Settings Page.
7. When the Create Settings window appears choose the following settings
- NAME: Windows Firewall
- Settings type: Script
- Data Type: String
Once that is done, click on Add Script … As shown below.
8. In the Edit Discovery Script window, select VBScript as the language and click Open, then browse to where you saved the script. You can also copy and paste it into this window. Click OK
9. On the Create Rule window create the following
- NAME: Firewall Rule
- Rule Type: Value
- The Following values: TRUE
- Noncompliance severity for reports: Critical
Once that’s done, click OK. As shown below.
10. When you’re back on the Settings page, click Next.
11. On the Compliance Page click Next. On the Summary Page Click Next, once its all done we can configure the Baseline!
A “Configuration Baseline” is basically a check list of configuration items that SCCM will check on the device. You can have a single or multiple configuration items in a Configuration Baseline, for example, we could create another configuration item (like we created in the steps above) and include that in this configuration baseline and check 2 configuration items in one go, therefore killing 2 birds with 1 stone. But seeing as we are only checking a single settings lets create out baseline and deploy it.
1. Under Assets and Compliance, expand Compliance Settings, right-click on Configuration Baseline and click Create Configuration Baseline.
2. In the Create Configuration Baseline window give it a name and click Add, and select Configuration Items
3. On the Add Configuration Items window, select the Check Windows Firewall and click Add, and click OK.
4. As shown above, finally click on, and you have created your baseline! Now we need to deploy it!
NOTE: To make sure that our devices get this baseline, we need to deploy it to a collection. By default this check will run every 7 days, if you want this information sooner, please change the Client Settings in the Administration Tab of SCCM.
5. Anyway … lets deploy! right click on your Configuration Baseline and click Deploy! Make sure its in the “Selected configuration items” section and choose your collection for deployment.
And make sure you choose a device collection!
After a short while, you’ll be able to see the configuration item on your machine via the Configuration Manager applet in the Control Panel.
You can also click on the “View Report” button to see the basics of what was checked.