Desired Configuration Management

Following the rollout of App-V 5 Service Pack 3, which i blogged about here, I found that about 20% of the public facing estate were reporting a state other than compliant.

I sighed inwardly as I knew I would be the only person to care about this, as per usual, until it went wrong for someone to start screaming.

*Then* it becomes important.

So I was plodding through the list of PCs returning errors, when it dawned upon me that there was an easier way to collect this data. Desired Configuration Management.

I’ve never touched this before though, so i wasn’t sure what to expect. Thankfully, it was a very simple thing to setup, although it has the power and complexity to go as far as you’re capable of going.

As SP3 was required on all domain PCs, it was a straight forward task to set this up as a Configuration Item (CI). I configured it thus:

Keep it simple and clear!

Keep it simple and clear!

The first step of the wizard; it’s useful to have a clear name and description, as this is what the user(s) will see if they run the reporting tool on the client. I ticked the option to state that it contained application settings, and assigned it to a Client category.

Nothing to do here...

Nothing to do here…

As above, this is required on all domain PCs. That makes the second step of the wizard very easy. I selected Always assume application is installed, and clicked on next.

Getting more interesting now!

Getting more interesting now!

In the Settings tab, click on New. I filled this out for my App-V install, so obviously you’ll need to pop whatever is relevant in here. One thing to note is how the registry key value is entered. if you get it wrong, strange things can happen, especially if you set this to remediate later! The important thing to note I suppose is that the actual value I am looking to check for isn’t mentioned here; it’#s jsut where to *look* for the value.

If in doubt, just browse to a random entry in your local machine hive as a test. This will show you what is expected to be entered in these boxes.



Now click on the Compliance Rules tab, and click New. I just copied and pasted the name from the previous tab and left the description blank. As I was upgrading from an old version, an existential check was of no use, so I selected Value. I entered the value for the Service Pack 3 version (note: this is where the value is checked, not the previous tab as per above), ticked to report and set the severity as critical.

Click Next, and click Next again. Select your OS platforms for applicability. i would recommend you filter out what you don’t want here. For App-V 5, it’s not going near anything apart from Win 7 and Win 8, so that’s all I selected.

Then I created a Configuration Baseline, and added the CI to the newly created baseline. I then deployed said baseline to my PCs. Within a day, I had an excellent splodge of data for a batch of PCs missing SP3, for whatever reason. this was in contrast to the monitoring of the actual deployment with returned a myriad of single PC errors.

it’s *very* nice. The View Report option on the client is brilliant, and allows your desktop support runarounds to see exactly what is wrong at first glance.

In fact, sitting here typing this up have given me an idea of adding in a second rule for App-V 5 SP3 compliance, which checks the service is running as well as the presence of the registry key.

To Powershell!


Flame on xD

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s