question

Elroy-1144 avatar image
0 Votes"
Elroy-1144 asked SherryKissinger-ECM commented

Trying to create configuration item on file property within user profile

We want to use compliance management to know if anybody has modified a configuration .xml file in the user profile under %userprofile%\appdata\roaming\appname\common

I created a configuration item with these properties:
Type: File
Path: %userprofile%\appdata\roaming\appname\common
File or folder name: Configuration.xml

For the compliance rule I have tried checking Modify Date between two dates, and I have also tried checking file size equals, the problem is no matter what I do the compliance check always comes back compliant. I have tried copying non-compliant files into the folder and refreshing policy. But when I re-run evaluation it still thinks my system is compliant.

I am starting to think it might have a problem interpreting the variable %userprofile% in my path? Is there a better way to do this?

Thanks for reading

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Garth avatar image
0 Votes"
Garth answered SherryKissinger-ECM commented

You can add logging to your script to confirm what folder it is looking at but it likely looking at the local system account.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Agreed, you want to do this: "We want to use compliance management to know if anybody has modified a configuration .xml file in the user profile under %userprofile%\appdata\roaming\appname\common", but when you select in a CI the type of "File", there is no option for "run using the logged on user credentials", like there is for script types.

I suspect you will need to use a custom script (powershell likely), that you design to run "using the logged on user credentials". A simple script like, say...

$source = $env:USERPROFILE + '\appdata\roaming\appname\common\Configuration.xml'
$d = [datetime](Get-ItemProperty -Path $source -Name LastWriteTime).lastwritetime
if ($d -ge '2021-01-01') {write-host "$d for $env:USERPROFILE"} else {write-host 'Compliant'}

'what means compliant' is the string value of Compliant. If it's non-compliant, you'll get the date of the .xml and what profile it was in when the test ran, in the ci results returned, which is usually handy.

I haven't tested the above; but it probably will work. test and verify, of course.

(Personally, if it were me, i'd go deep geek, and since I'm already scripting, I likely wouldn't compare dates, but would instead read the .xml file and look for "the settings I care about that absolutely must be there or else"; but that's just me. Often dates can get wonky--but the contents of the file might be just fine and what you expect to be there.)

0 Votes 0 ·
AllenLiu-MSFT avatar image
0 Votes"
AllenLiu-MSFT answered AllenLiu-MSFT commented

Hi, @Elroy-1144
Thank you for posting in Microsoft Q&A forum.

I test it in my lab with the same configuration like yours, and get the same result.
I checked the DcmWmiProvider.log on client, and found %userprofile%\appdata\roaming\ evaluated to : C:\Users\Default\appdata\roaming\
136020-1.jpg

Then, if we haven't check "Report noncompliance if this setting instance is not found", then it will report as "Compliance" if the file is not found. If we checked it, it will report as "Non-Compliance" if the file is not found.
136129-2.jpg

We may follow this guidance to create user data and profiles configuration items:
https://docs.microsoft.com/en-us/mem/configmgr/compliance/deploy-use/create-user-data-and-profiles-configuration-items


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1.jpg (174.9 KiB)
2.jpg (48.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?

0 Votes 0 ·