This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 34%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
We want to use compliance management to know if anybody has modified a configuration .xml file in the user profile under %userprofile%\appdata\roaming\appname\common
I created a configuration item with these properties:
Type: File
Path: %userprofile%\appdata\roaming\appname\common
File or folder name: Configuration.xml
For the compliance rule I have tried checking Modify Date between two dates, and I have also tried checking file size equals, the problem is no matter what I do the compliance check always comes back compliant. I have tried copying non-compliant files into the folder and refreshing policy. But when I re-run evaluation it still thinks my system is compliant.
I am starting to think it might have a problem interpreting the variable %userprofile% in my path? Is there a better way to do this?
Thanks for reading
You can add logging to your script to confirm what folder it is looking at but it likely looking at the local system account.
Agreed, you want to do this: "We want to use compliance management to know if anybody has modified a configuration .xml file in the user profile under %userprofile%\appdata\roaming\appname\common", but when you select in a CI the type of "File", there is no option for "run using the logged on user credentials", like there is for script types.
I suspect you will need to use a custom script (powershell likely), that you design to run "using the logged on user credentials". A simple script like, say...
$source = $env:USERPROFILE + '\appdata\roaming\appname\common\Configuration.xml'
$d = datetime.lastwritetime
if ($d -ge '2021-01-01') {write-host "$d for $env:USERPROFILE"} else {write-host 'Compliant'}
'what means compliant' is the string value of Compliant. If it's non-compliant, you'll get the date of the .xml and what profile it was in when the test ran, in the ci results returned, which is usually handy.
I haven't tested the above; but it probably will work. test and verify, of course.
(Personally, if it were me, i'd go deep geek, and since I'm already scripting, I likely wouldn't compare dates, but would instead read the .xml file and look for "the settings I care about that absolutely must be there or else"; but that's just me. Often dates can get wonky--but the contents of the file might be just fine and what you expect to be there.)
Hi, @Elroy
Thank you for posting in Microsoft Q&A forum.
I test it in my lab with the same configuration like yours, and get the same result.
I checked the DcmWmiProvider.log on client, and found %userprofile%\appdata\roaming\ evaluated to : C:\Users\Default\appdata\roaming\
Then, if we haven't check "Report noncompliance if this setting instance is not found", then it will report as "Compliance" if the file is not found. If we checked it, it will report as "Non-Compliance" if the file is not found.
We may follow this guidance to create user data and profiles configuration items:
https://learn.microsoft.com/en-us/mem/configmgr/compliance/deploy-use/create-user-data-and-profiles-configuration-items
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
There is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?