Introduction to Compliance Settings in Configuration Manager

 

Updated: June 26, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Compliance settings in System Center 2012 Configuration Manager provides a unified interface and user experience that lets you manage the configuration and compliance of servers, laptops, desktop computers, and mobile devices in your organization. Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates, security settings, and mobile devices. Configuration item settings of the type Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found.

Important

To deploy configuration items to Android, iOS, Windows Phone, and enrolled Windows 8.1 devices, these devices must be enrolled into Microsoft Intune. For information about how to get your devices enrolled, see Manage mobile devices with Microsoft Intune.

Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must have. You can import this configuration data from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices that are defined by Microsoft and other vendors, in Configuration Manager, and that you then import into Configuration Manager. Or, an administrative user can create new configuration items and configuration baselines.

After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them. This provides the administrator with a high level of control.

Client devices evaluate their compliance against each deployed configuration baseline and immediately report the results to the site by using state messages and status messages. If a client device is currently not connected to the network, but has downloaded the configuration items that are referenced in a deployed configuration baseline, the configuration baseline is evaluated for compliance. The compliance information is sent on reconnection. You can also view compliance evaluation results from clients that are running Windows by using the Configurations tab in Configuration Manager in Control Panel.

You can monitor the results of the configuration baseline evaluation compliance from the Deployments node in the Monitoring workspace in the Configuration Manager console to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can also run compliance settings reports to find additional details, such as which devices are compliant or noncompliant, and which element of the configuration baseline is causing a computer to be noncompliant. You can also view compliance evaluation results from Windows clients by using the Configurations tab in Configuration Manager in Control Panel.

You can use compliance settings to support the following business requirements:

  • Compare the configuration of desktop computers, laptops, servers, and mobile devices in your enterprise against best practices configurations from Microsoft and other vendors.

  • Verify the configuration of provisioned devices against one or more custom-defined configuration baselines before the computers go into production.

  • Identify device configurations that are not authorized by change control procedures.

  • Prioritize noncompliance with five levels of severity (None, Information, Warning, Critical, and Critical with event).

  • Report compliance with regulatory policies and in-house security policies.

  • Identify security vulnerabilities, as defined by Microsoft and other software vendors, across your enterprise.

  • Provide the help desk with the information to detect probable causes of reported incidents and problems by identifying noncompliant configurations.

  • Automatically remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager.

  • Remediate noncompliance by deploying applications, packages and programs, or scripts to a collection that is automatically populated with computers that report that they are out of compliance.

  • Integrate with other management products that monitor Windows events on computers to take automatic action when a configuration is reported as noncompliant.

For an example scenario that shows how you might use compliance settings in your environment, see Example Scenario for Compliance Settings in Configuration Manager.

User Data and Profiles Configuration Items

For System Center 2012 Configuration Manager SP1 and later:

User data and profiles configuration items contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy them to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console. Unlike other configuration items, you do not add these to configuration baselines before you deploy them. You can deploy them directly with the Deploy User Data and Profiles Configuration Item dialog box.

For more information, see the topic How to Create User Data and Profiles Configuration Items in Configuration Manager.

What’s New in Configuration Manager

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for compliance settings, previously known as desired configuration management since Configuration Manager 2007:

  • Configuration Manager 2007 desired configuration management is now called compliance settings in System Center 2012 Configuration Manager.

  • Configuration Manager provides a new built-in security role named Compliance Settings Manager. Administrative users who are members of this role can manage and deploy configuration items and configuration baselines and view compliance results.

  • An administrative user can create registry and file system settings by browsing to an existing file, folder, or registry setting on the local or a remote reference computer.

  • It is now easier for an administrative user to create configuration baselines.

  • You can reuse settings for multiple configuration items.

  • You can remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager.

  • When you deploy a configuration baseline, you can specify a compliance threshold for the deployment. If the compliance is below the specified threshold after a specified date and time, System Center 2012 Configuration Manager generates an alert to notify the administrator.

  • You can use the new monitoring features of System Center 2012 Configuration Manager to monitor compliance settings and to view the most common causes of noncompliance, errors, and the number of users and devices that are affected.

  • You can deploy configuration baselines to users and devices.

  • Configuration baseline deployments and evaluation now support Configuration Manager maintenance windows.

  • You can use compliance settings to manage the mobile devices that you enroll with Configuration Manager.

  • Configuration item versioning lets you view and use earlier versions of configuration items. You can restore or delete earlier versions of configuration items and see the user names of administrative users who made changes.

  • Configuration items can contain user and device settings. User settings are evaluated when the user is logged on. Examples of user settings include registry settings that are stored in HKEY CURRENT USER and user-based script settings that an administrative user configured.

  • Improved reports contain rule details, remediation information, and troubleshooting information.

  • You can now detect and report conflicting compliance rules.

  • Unlike Configuration Manager 2007, System Center 2012 Configuration Manager does not support uninterpreted configuration items. An uninterpreted configuration item is a configuration item that is imported into compliance settings, but the Configuration Manager console cannot interpret it. Therefore, you cannot view or edit the configuration item properties in the console. Before you import Configuration Packs or configuration baselines to System Center 2012 Configuration Manager, you must remove uninterpreted configuration items in Configuration Manager 2007.

  • You can migrate configuration items and configuration baselines from Configuration Manager 2007 to System Center 2012 Configuration Manager. During migration, configuration data is automatically converted into the new format.

  • Settings groups from Configuration Manager 2007 are no longer supported in System Center 2012 Configuration Manager.

  • Regular expressions for settings are not supported in System Center 2012 Configuration Manager.

  • Using wildcard characters for registry settings is not supported in System Center 2012 Configuration Manager. If you migrate configuration data from Configuration Manager 2007, you must remove wildcard characters from registry settings before you migrate. Otherwise the data will not be valid in the System Center 2012 Configuration Manager configuration item.

  • The string operators Matches and Do not Match are not supported in System Center 2012 Configuration Manager.

  • You can no longer create configuration items of the type General from the Configuration Manager console. You can now create only application configuration items and operating system configuration items. However, if you create a configuration item for a mobile device, this is created as a general configuration item.

What’s New in Configuration Manager SP1

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for compliance settings in Configuration Manager SP1:

  • You can create user data and profiles configuration items that contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy these settings to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console.

  • The new Mac OS X configuration item lets you evaluate and remediate property list (.plist) settings on Mac computers. You can also use shell scripts to evaluate and remediate other Mac settings.

What’s New in System Center 2012 R2 Configuration Manager

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for compliance settings in System Center 2012 R2 Configuration Manager:

  • New mobile device settings and mobile device setting groups have been added. These can be found on the Mobile Device Settings page of the Create Configuration Item Wizard.