System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager Desired Configuration Management
>
DCM: Detect presence of software that are not allowed
DCM: Detect presence of software that are not allowed
Hi everyone,
I'm really noob with the DCM's section of SCCM but I've read a lot on forums and tried many things but I can't really find what I'm looking for.
What I need is very simple. I want to create a list of Allowed softwares and I want to be able to check on a regular basis (monthly for example) which computers have softwares installed that are NOT in this list and what are those softwares.
I understood that I need to create a configuration baseline but the only thing I can see in the CI wizard is how to check if a specific software is installed. The same thing on every forums that I've visited... people always ask about detecting if ONE software is installed or not but I'm looking for the oposite in fact.
It seems to me that nor the Create Application Configuration Item neigther the Create General Configuration Item wizards would do the job.
Does SCCM can do it ?
Does DCM is the right tool into SCCM to do what I want or there is a better way ?
How can I compare the already installed software list from the inventory to my allowed list ?
Thanks so much for your help.Alain
Answers
- In general, as you have seen, DCM is designed to allow you to check configuration of installed applications and OS components, but not necessarily to detect rogue software installations. You can create Application CIs for specific applications that are not allowed, using script or MSI detection to detect if they are present. Then, you can place them in a baseline under 'Prohibited' application CIs and then the baseline will be Noncompliant if they are detected. However, DCM cannot inherently detect any and all software on a system and compare to your 'whitelist' of approved apps.
I'm not sure if there is a way to use the installed software list from inventory for what you want to do or not. Perhaps someone else can help more with that.
Kevin
This posting is provided "AS IS", provides no warranties, and confers no rights. -- Kevin- Marked As Answer byKevinM [MSFT]MSFT, ModeratorMonday, September 14, 2009 4:50 PM
- Proposed As Answer byKevinM [MSFT]MSFT, ModeratorThursday, August 27, 2009 9:31 PM
What I need is very simple. I want to create a list of Allowed softwares and I want to be able to check on a regular basis (monthly for example) which computers have softwares installed that are NOT in this list and what are those softwares.
That's not that simple ;)
DCM is a tool to compare your asset against what you'd like them to have - not what you don't want them to have.
I haven't dug deep into the Asset Intelligence part of SCCM but as far as I know it will list you every application installed (read: registered in add/remove programs) and allows a categorization of these.
So if you have categorized all of your "whitelist" software you should be able to spot the unknown software titles pretty easily. Plus, the AI homepage will give you a nice overview about how many % of your apps inventoried are categorized and known and how many are not.- Marked As Answer byKevinM [MSFT]MSFT, ModeratorMonday, September 14, 2009 4:50 PM
- Proposed As Answer byKevinM [MSFT]MSFT, ModeratorThursday, August 27, 2009 9:31 PM
All Replies
- In general, as you have seen, DCM is designed to allow you to check configuration of installed applications and OS components, but not necessarily to detect rogue software installations. You can create Application CIs for specific applications that are not allowed, using script or MSI detection to detect if they are present. Then, you can place them in a baseline under 'Prohibited' application CIs and then the baseline will be Noncompliant if they are detected. However, DCM cannot inherently detect any and all software on a system and compare to your 'whitelist' of approved apps.
I'm not sure if there is a way to use the installed software list from inventory for what you want to do or not. Perhaps someone else can help more with that.
Kevin
This posting is provided "AS IS", provides no warranties, and confers no rights. -- Kevin- Marked As Answer byKevinM [MSFT]MSFT, ModeratorMonday, September 14, 2009 4:50 PM
- Proposed As Answer byKevinM [MSFT]MSFT, ModeratorThursday, August 27, 2009 9:31 PM
What I need is very simple. I want to create a list of Allowed softwares and I want to be able to check on a regular basis (monthly for example) which computers have softwares installed that are NOT in this list and what are those softwares.
That's not that simple ;)
DCM is a tool to compare your asset against what you'd like them to have - not what you don't want them to have.
I haven't dug deep into the Asset Intelligence part of SCCM but as far as I know it will list you every application installed (read: registered in add/remove programs) and allows a categorization of these.
So if you have categorized all of your "whitelist" software you should be able to spot the unknown software titles pretty easily. Plus, the AI homepage will give you a nice overview about how many % of your apps inventoried are categorized and known and how many are not.- Marked As Answer byKevinM [MSFT]MSFT, ModeratorMonday, September 14, 2009 4:50 PM
- Proposed As Answer byKevinM [MSFT]MSFT, ModeratorThursday, August 27, 2009 9:31 PM
- Hi Alain - I have the same requirement. Did you ever find a solution to this?
