Managing Workstation Uptime with Compliance Settings
Background
I was recently approached by one of my customers who was looking for a way to force their users to reboot their workstations at least once every 7 days for maintenance reasons. In the past, I’ve seen this handled via a combination of DCM/Compliance Settings, collections, and package/program deployments.
While this approach works well, a more streamlined approach can be taken by utilizing the remediation capability we get natively in ConfigMgr 2012.
In today’s blog post, we’re going to discuss how to accomplish this without involving collection refresh schedules and persistent package deployments.
Creating the Configuration Item
First, we’ll need to create a Configuration Item that will detect the uptime for a workstation and includes a remediation that will initiate a reboot.
On the “Assets and Compliance” tab, we want to create a new configuration item under the “Compliance Settings” folder. Name the configuration item and make sure the type is set to “Windows”.
On the “Supported Platforms” step, it is generally a good idea to limit the scope of your CI to the platforms that will be targeted. In this case, we don’t want any servers to reboot once a week, so we’ll include only workstation operating systems.
Finally, on the “Compliance Rules” step, we’ll create a new setting. Our setting type will be a script and the data type returned by the script will be an integer.
Our discovery script will need to detect the system uptime and report back whether or not the system has an uptime greater than 7 days. To accomplish this, we’ll use a simple PowerShell script that reads the last boot time from WMI and calculates the uptime for us.
#Use Get-WMIObject to read the Win32_OperatingSystem class
$Win32OS = Get-WMIObject -Class Win32_OperatingSystem
#Calculate the uptime based on the LastBootUpTime property and the local date and time
$Uptime = $Win32OS.ConvertToDateTime($Win32OS.LocalDateTime) - `
$Win32OS.ConvertToDateTime($Win32OS.LastBootUpTime)
#Check if the total number of days in our uptime calculation is greater than 7
#Return a 0 for a non-compliant system and a 1 if the system is compliant
if ($Uptime.TotalDays -gt 7){
$compliant = 0
}
else {
$compliant = 1
}
echo $compliant
Next, we’ll need to create a remediation script. This will run when a system is detected as being non-compliant and is the magic that lets us avoid having to deal with collection refresh timers and perpetual package/program deployments. Instead, we’ll use a PowerShell script that initiates a shutdown with a 60 minute countdown. To modify the countdown time, just change the value of the “/t 3600” argument. The message displayed on the reboot pop-up can be changed by modifying the text for the “/c” argument.
Start-Process shutdown -ArgumentList `
'/r /t 3600 /c "It has been more than 7 days since the last system reboot."' `
-wait -NoNewWindow -PassThru
For our compliance rule, we want to create a value rule that checks for our value echoed in our detection script to be equal to 1. If the workstation has been up for longer than 7 days and the script returns a 0, the compliance will fail and our remediation script will run. Be sure to check the “Run specified remediation script…” option to ensure that the shutdown command is issued to non-compliant workstations.
Now that we have both our setting and our compliance rules created, we can finish the “Create Configuration Item” wizard.
Creating the Baseline
With our Configuration Item created, we next move on to creating a baseline. Here, we will add the configuration item we just created.
Deploying the Baseline
In our final step, we’re going to deploy the baseline that was created to a collection of workstations on which we’d like to enforce our 7 day reboot policy. Be sure to check the “Remediate noncompliant rules when supported” and “Allow remediation outside the maintenance window” (if you have maintenance windows configured for your workstations). Set the schedule to be frequent enough to catch machines in a reasonable timeframe after hitting 7 days of uptime, but not so aggressive as to affect system performance. I recommend every 1 day as a happy medium.
Comments
- Anonymous
January 01, 2003
Awesome!