Compliance Settings in ConfigMgr 2012 is a great feature that can be used for a variety of things. It’s used to validate the compliance of certain settings on devices against rules that returns the compliant or non-compliant state. One thing you could use Compliance Settings for is to check the compliance state of the Windows Firewall, if it’s enabled or disabled. Even better, check if the connected profile in Windows Firewall is enabled or disabled.

In this blog post I’ll demonstrate how to make use of Compliance Settings to determine a compliant state if the connected profile of Windows Firewall is enabled. If it’s disabled, we’ll treat it as of non-compliant.

Overview

  • Create a Configuration Item
  • Create a Configuration Baseline
  • Deploy the Configuration Baseline
  • Verify that a device has evaluated the Configuration Baseline

Create a Configuration Item

Configuration Item is used to define a configuration and associated validation criteria to be assessed for compliance on devices. We’ll create a single Configuration Item for the purpose of this scenario, and later associate it with a Configuration Baseline. Before we begin, we need to have the main component for the Configuration Item, and that’s the script below. This script is taken from MSDN, and modified slightly in order to work in this scenario.

Option Explicit
Dim CurrentProfiles
Dim LowerBound
Dim UpperBound
Dim iterate
Dim excludedinterfacesarray
Dim strWFStatus

Const NET_FW_PROFILE2_DOMAIN = 1
Const NET_FW_PROFILE2_PRIVATE = 2
Const NET_FW_PROFILE2_PUBLIC = 4
Const NET_FW_ACTION_BLOCK = 0
Const NET_FW_ACTION_ALLOW = 1

Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
CurrentProfiles = fwPolicy2.CurrentProfileTypes

strWFStatus = "False"
If ( CurrentProfiles AND NET_FW_PROFILE2_DOMAIN ) Then
   If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_DOMAIN) = TRUE Then
      strWFStatus = "True"
   End If
End If

If ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE ) Then
   If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PRIVATE) = TRUE Then
      strWFStatus = "True"
   End If
End If

If ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC ) Then
   If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PUBLIC) = TRUE Then
      strWFStatus = "True"
   End If
End If
WScript.Echo(strWFStatus)

1. Open the ConfigMgr console and go to Assets and Compliance.
2. Expand Compliance Settings, right-click on Configuration Items and click Create Configuration Item.

93_1

3. In the Name field, enter a name that suits the purpose of the Configuration Item and click Next.

93_2

4. On the Supported Platforms page, select the operating system platforms that this Configuration Item will be assessed for compliance on and click Next.
5. Click the New button on the Settings page.
6. In the Create Settings window that appears, make the following selections:

  • Name: Windows Firewall Setting
  • Setting type: Script
  • Data type: String

93_3

7. Click on Add Script in the Discovery script section.
8. In the Edit Discovery Script window, select VBScript as the Script language. In the Script field, paste the script from above and click OK.

93_4

9. Back in the Create Setting window, go to the Compliance Rules tab and click on New.

93_5

10. In the Create Rule window, make the following changes:

  • Name: Windows Firewall Rule
  • Rule type: Value
  • The following values: True
  • Noncompliance severity for reports: Warning

93_6

Click on OK.

11. Back in the Create Setting window, click OK.
12. On the Settings page, click Next.

93_7

13. On the Compliance Rules page, click Next (we’ve already create a rule for this Configuration Item).
14. Click Next on the Summary page.
15. And finally on the Completion page, click Close.

Create a Configuration Baseline

The Configuration Baseline can be described as a container for a single or several Configuration Data (Configuration Item, Configuration Baseline and Software Updates) items. All of the Configuration Data items in the baseline needs to be compliant for the Configuration Baseline to be assessed as compliant. For our scenario to assess the compliance of the Windows Firewall, we’ll add our newly created Configuration Item called Check compliance state of Windows Firewall to a new Configuration Baseline.

1. In the Assets and Compliance node, expand Compliance Settings, right-click on Configuration Baseline and click Create Configuration Baseline.
2. In the Create Configuration Baseline window, make the following changes:

  • Name: Windows Firewall Compliance Check
  • Description: If the connected profile of Windows Firewall is enabled, it’s considered compliant

Click on Add and select Configuration Items.

93_8

3. In the Add Configuration Items window, select the Check compliance state of Windows Firewall and click Add.

93_9

4. Click on OK.
5. Back in the Create Configuration Baseline window, click OK.

Deploy the Configuration Baseline

In order for devices to evaluate the compliance state of a Configuration Baseline, the Configuration Baseline needs to be deployed to a collection. The members of that collection will then during the next Machine Policy Refresh Cycle grab the policy containing the information about this Configuration Baseline. Depending on Client Settings, the Configuration Baseline will be evaluated on the device in according to specified schedule. The default schedule is set to every 7 days. You also have the option to specify a schedule for each Configuration Baseline upon when you deploy it. The default value matches the value specified in the Client Settings.

93_10

1. In the Assets and Compliance node, expand Compliance Settings and select Configuration Baselines.
2. Select the Windows Firewall Compliance Check, right-click and click Deploy.
3. In the Deploy Configuration Baselines window, click on Browse and select a collection that you wish the members of should check the compliance state. Click on OK.

93_11

Verify that a device has evaluated the Configuration Baseline

On a Device, go to Control Panel, System and Security and open the Configuration Manager applet. In the Configurations tab you’ll see what Configuration Baselines the client will evaluate at it’s specific schedule. As shown in the picture below, our Configuration Baseline was evaluated to be Compliant.

93_12

That’s all!

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows deployments and Automation. In 2015 Nickolaj was awarded as PowerShell Hero by the community for his script and tools contributions. Author of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService and a frequent speaker at user groups.

(209)

comments
  • Richard Jolly
    Posted at 16:43 January 27, 2015
    Richard Jolly
    Reply
    Author

    Thanks for this – really very useful. A couple of things – once completed – can this list be converted into a report/query and how easy is it to then remediate all the failed ones to true?

  • Rajeev Gautam
    Posted at 13:00 November 30, 2015
    Rajeev Gautam
    Reply
    Author

    Great work!!! Can you also point to the table where this information are stored in CM DB. or any other way to pull out the report

  • Mike Compton
    Posted at 09:08 May 24, 2016
    Mike Compton
    Reply
    Author

    Hi

    This does not work on Windows 10, FW disabled on all profiles, yet the script returns True.

  • Leave a Reply