Configuration Baselines in ConfigMgr is an excellent way to update application configurations the way you want them to be. In this example, I was asked by one of our online academy students to update a Cisco AnyConnect local policy with a new value for its <FipsMode> setting. Sounded like a great blog topic to me 🙂
The Cisco AnyConnect Local Policy
The AnyConnectLocalPolicy.xml is an XML file containing security settings on the client, and is typically added during the installation of the Cisco AnyConnect client. Here is an example of a AnyConnectLocalPolicy.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="3.0.0592">
<FipsMode>false</FipsMode>
<BypassDownloader>false</BypassDownloader>
<RestrictScriptWebDeploy>true</RestrictScriptWebDeploy>
<RestrictHelpWebDeploy>true</RestrictHelpWebDeploy>
<RestrictResourceWebDeploy>true</RestrictResourceWebDeploy>
<RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
<RestrictWebLaunch>true</RestrictWebLaunch>
<StrictCertificateTrust>true</StrictCertificateTrust>
<EnableCRLCheck>false</EnableCRLCheck>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<ExcludePemFileCertStore>false</ExcludePemFileCertStore>
<ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
<UpdatePolicy>
<AllowSoftwareUpdatesFromAnyServer>false</AllowSoftwareUpdatesFromAnyServer>
<AllowVPNProfileUpdatesFromAnyServer>false</AllowVPNProfileUpdatesFromAnyServer>
<AllowManagementVPNProfileUpdatesFromAnyServer>false</AllowManagementVPNProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer>false</AllowServiceProfileUpdatesFromAnyServer>
<AllowISEProfileUpdatesFromAnyServer>false</AllowISEProfileUpdatesFromAnyServer>
<AllowComplianceModuleUpdatesFromAnyServer>false</AllowComplianceModuleUpdatesFromAnyServer>
<AuthorizedServerList>
<ServerName>vpn.corp.viamonstra.com</ServerName>
<ServerName>192.168.1.100</ServerName>
</AuthorizedServerList>
</UpdatePolicy>
</AnyConnectLocalPolicy>Configuration Baselines in ConfigMgr
In ConfigMgr you can use Configuration Baselines to discover and remediate settings. A Configuration Baseline is made up by one or more Configuration Items, which in turn has one or more settings you want to verify. You can have different types of settings, like registry value, file system, WQL query, etc. But in this example, I will use a PowerShell script which gives me more flexibility.
I will have one PowerShell script, the discovery script, that checks the FIPS mode setting in the AnyConnectLocalPolicy.xml file. And then, another PowerShell script, the remediation script, that updates the AnyConnectLocalPolicy.xml file with the correct value if needed. To simplify troubleshooting, I'll also add some basic logging to the scripts. You find the sample scripts in the end of this post.
Create the Configuration Item
Using the Configuration Manager console, navigate to Assets and Compliance / Compliance Settings / Configuration Items and then click Create Configuration Item.
On the General page, assign the name: CI – Update Cisco AnyConnect FIPS Mode, and then click Next.
On the Supported Platforms page, accept the default settings, and click Next.
On the Settings page, click New, configure the following settings, click OK, and then click Next:
- Name: Update Cisco AnyConnect FIPS Mode
- Setting type: Script
- Data type: Boolean
- Discovery Script: Add the sample discovery script (see further down this post)
- Remediation Script: Add the sample remediation script (see further down this post)
In the Compliance Rules tab, click New, configure the following settings, click OK, and then click Next twice followed by Close to finish the wizard.
- Name: Check FIPS Mode
- Selected setting: CI – Update Cisco AnyConnect FIPS Mode
- Rule Type: Value
- The value returned by the specified script: Equals / True
- Run the specified remediation script when this setting is noncompliant
Create the Configuration Baseline
Once the Configuration Item has been created, creating the Configuration Baseline is the next step.
Using the Configuration Manager console, navigate to Assets and Compliance / Compliance Settings / Configuration Baselines and then click Create Configuration Baseline.
On the General information page, configure the following settings, and click OK:
- Name: CB – Update Cisco AnyConnect FIPS Mode
- Configuration Data: CI – Update Cisco AnyConnect FIPS Mode
Deploy the Configuration Baseline
The final step is to deploy the baseline to a collection.
Using the Configuration Manager console, right-click the CB – Update Cisco AnyConnect FIPS Mode baseline, and click Deploy. Configure the following settings, and then click OK:
Remediate noncompliant rules when supported
Collection: Collection of your choosing, mine was named Update Cisco AnyConnect FIPS Mode
Verifying on the client
On the client you can easily verify the baseline by navigating to the Configuration tab in the Configuration Manager control panel applet.
The Discovery Script
In this example, the discovery script will look for the <FipsMode> value, and return True if it's set correctly (meaning enabled), or False if its set to something else.
# Configuration Item Script that checks for FipsMode setting
$FipsModeCompliantValue = "true"
$Logfile = "C:\Windows\Temp\CiscoAnyConnectProfile_Discovery.log"
# Delete any existing logfile if it exists
If (Test-Path $Logfile){Remove-Item $Logfile -Force -ErrorAction SilentlyContinue -Confirm:$false}
Function Write-Log{
param (
[Parameter(Mandatory = $true)]
[string]$Message
)
$TimeGenerated = $(Get-Date -UFormat "%D %T")
$Line = "$TimeGenerated : $Message"
Add-Content -Value $Line -Path $LogFile -Encoding Ascii
}
# Check if Cisco AnyConnect Policy is available
$AnyConnectLocalPolicyFile = "$Env:AllUsersProfile\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml"
If (Test-Path $AnyConnectLocalPolicyFile){
Write-Log "Cisco AnyConnect Policy found, continuing"
# Read the value from the profile
$xml = [Xml](Get-Content -Path $AnyConnectLocalPolicyFile)
$FipsModeCurrentValue = $xml.AnyConnectLocalPolicy.FipsMode
If ($FipsModeCurrentValue -eq $FipsModeCompliantValue){
Write-Log "Fipsmode value is compliant, currently set to: $FipsModeCurrentValue"
Return $True
}
Else{
Write-Log "Fipsmode value is Not compliant, currently set to: $FipsModeCurrentValue"
Return $False
}
}
Else{
Write-Log "Cisco AnyConnect Policy found Not found, do Nothing"
Return $True # Returning compliant anyway, no point in triggering a remediation for something that does not exist
}The Remediation Script
In this example, the remediation script will look for the <FipsMode> value, and change it to True.
# Configuration Item Script that checks for FipsMode setting
$FipsModeCompliantValue = "true"
$Logfile = "C:\Windows\Temp\CiscoAnyConnectProfile_Remediation.log"
# Delete any existing logfile if it exists
If (Test-Path $Logfile){Remove-Item $Logfile -Force -ErrorAction SilentlyContinue -Confirm:$false}
Function Write-Log{
param (
[Parameter(Mandatory = $true)]
[string]$Message
)
$TimeGenerated = $(Get-Date -UFormat "%D %T")
$Line = "$TimeGenerated : $Message"
Add-Content -Value $Line -Path $LogFile -Encoding Ascii
}
# Check if Cisco AnyConnect Policy is available
$AnyConnectLocalPolicyFile = "$Env:AllUsersProfile\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml"
If (Test-Path $AnyConnectLocalPolicyFile){
Write-Log "Cisco AnyConnect Policy found, continuing"
# Set the correct value
Write-Log "Setting Fipsmode value to: $FipsModeCompliantValue"
# Create XML Object and load the file (using PreserveWhitespace to preserve the tabs)
$xml = New-Object System.Xml.XmlDocument
$xml.PreserveWhitespace = $true
$xml.Load($AnyConnectLocalPolicyFile)
# Change the value
$node = $xml.AnyConnectLocalPolicy
$node.FipsMode = $FipsModeCompliantValue
# Set encoding to UTF 8 without BOM
$Encoding = New-Object System.Text.UTF8Encoding($false)
$StreamWriter = New-Object System.IO.StreamWriter($AnyConnectLocalPolicyFile, $false, $Encoding)
# Save the file
$xml.Save( $StreamWriter )
$StreamWriter.Close()
}