We need to create our detection script to enable debug logging, but how do we enable debug logging for the ConfigMgr client?Ī simple Bing search reveals we need to change a couple of values and create a key as well. Later, in my detection script, you will see where I use the native PowerShell Boolean output to send my results to the compliance rule. The MSDN page shows the started property as a Boolean result, thus the data type should be Boolean. Without verifying the properties via MSDN, you might select the data type of String, and in your compliance rule simply type the word True, but this would be incorrect. If I am looking for the “Started” property via PowerShell, the console simply says True. When using Compliance Settings, you need to verify the data type you are sending to your compliance rule otherwise the setting will never work properly and will show non-compliant.Įxample of this would be looking up a service via WMI (Win32_Service). In this instance I want to use a script to detect the scenario and return a Boolean data type.ĭata type is very important to pay attention to when setting up your CI’s. It is worth pointing out, I could do this with the standard Registry Key and Value options but would require multiple settings and compliance rules. I give my setting a verbose name, select Script in the first drop down, and Boolean as the second. I need to create a new Setting for this CI and I need to give it a name that fits what this particular setting is going to monitor. I have no need to exclude this on a per platform basis so I leave the defaults and click next. In my lab, I named the CI, “CI – ConfigMgr Debug Logging - Enabled.” I always recommend a verbose naming convention, not only for the top level CI but for the settings and compliance rules in the CI. Additionally, we will monitor all clients to ensure debug logging is not enabled manually and left enabled.įirst we need to create a new CI (Configuration Item). Not only will this ensure we have a consistent method to enable debug logging, but it will be apparent if someone leaves a machine in the enable debug collection for an extended period of time. In this blog I will cover how to create two Configuration Items with settings to enable and disable debug logging by simply adding/removing a machine from a single collection. After playing out the scenario in my head a few times, I thought, what if we could actually enable debug logging with Compliance Settings and disable it once our need for debugging is complete? When we dug into the issue, the Escalation Engineer noted two key findings, disk performance and debug logging were enabled on a remote SQL DB.Īfter thinking about this for a while, I thought this would be a great use case for Compliance Settings to monitor for debug logging. Recently one of my customers with a fairly sizable environment (150K Clients) began experiencing backlog issues on a particular site. One of the things I have been recommending to my customers more and more is the use of Compliance Settings, and trying to show ConfigMgr admins how useful they can be for day to day task. For my first blog, I would like to talk about ConfigMgr Compliance Settings. Hello, my name is Cameron Cox, I am a System Center Configuration Manager PFE. First published on TECHNET on Apr 10, 2015
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |