How to create configuration items for Windows 10 devices managed with the System Center Configuration Manager Client
Use the System Center Configuration Manager Windows 10 configuration item to manage settings for Windows 10 computers that are managed by the Configuration Manager client.
In this release, if you created a Password setting as part of a configuration item of the type Windows 10 (for a device managed with the Configuration Manager client), then, if the setting does not already exist, or has not been configured on the Windows 10 device, it will incorrectly evaluate as compliant.
As a workaround, when you create a setting for these devices, ensure that Remediate noncompliant settings is selected on the settings pages of the Create Configuration Item wizard. In addition, when you deploy a configuration baseline containing a Windows 10 configuration item containing password settings, select Remediate noncompliant rules when supported in the Deploy Configuration Baselines dialog box. By using this workaround, the setting will be monitored, and remediated if it is found to be noncompliant. After remediation, the setting will be correctly reported as Compliant (unless a problem is encountered in which case it will report Error).
To create a Windows 10 configuration item
In the Configuration Manager console, click Assets and Compliance.
In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items.
On the Home tab, in the Create group, click Create Configuration Item.
On the General page of the Create Configuration Item Wizard, specify a name, and optional description for the configuration item.
Under Specify the type of configuration item that you want to create, select Windows 10.
Click Categories if you create and assign categories to help you search and filter configuration items in the Configuration Manager console.
On the Supported Platforms page of the wizard, select the specific Windows 10 platforms that will evaluate the configuration item.
On the Device Settings page of the wizard, select the settings group that you want to configure. See Windows 10 configuration item settings reference in this article for details, and then click Next.
If the setting that you want is not listed, select the Configure additional settings that are not in the default setting groups check box.
On each settings page, configure the settings you require, and whether you want to remediate them when they aren't compliant on devices (when this is supported).
For each settings group, you can also configure the severity that will be reported when a configuration item is found to be noncompliant from:
None - Devices that fail this compliance rule don't report a failure severity for Configuration Manager reports.
Information - Devices that fail this compliance rule report a failure severity of Information for Configuration Manager reports.
Warning - Devices that fail this compliance rule report a failure severity of Warning for Configuration Manager reports.
Critical - Devices that fail this compliance rule report a failure severity of Critical for Configuration Manager reports.
Critical with event - Devices that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.
On the Platform Applicability page of the wizard, review any settings that aren't compatible with the supported platforms you selected earlier. You can go back and remove these settings, or you can continue.
Unsupported settings are not assessed for compliance.
Complete the wizard.
You can view the new configuration item in the Configuration Items node of the Assets and Compliance workspace.
Windows 10 configuration item settings reference
|Require password settings on devices||Require a password on supported devices.|
|Minimum password length (characters)||The minimum length in characters for the password.|
|Password expiration in days||The number of days before the password must be changed.|
|Number of passwords remembered||Prevents reusing previous passwords.|
|Number of failed logon attempts before a device is wiped||Wipes the device if sign in fails this number of times.|
|Idle time before device is locked||Specifies how many minutes the device must be inactive before it's automatically locked.|
|Password complexity||Choose whether you can specify a PIN such as ‘1234’, or whether you must supply a strong password.|
|Number of complex character sets required in password||If you selected a Strong password, use this setting to configure the number of complex character sets required. For a strong password, this setting should be set to at least **3, which means both letters and numbers are required. Select 4 if you want to enforce a password that additionally requires special characters such as (%$.
(Windows 10 only)
|Bluetooth||Allows use of the Bluetooth feature on the device.|
|Settings synchronization||Allows synchronization of settings between devices.|
|Credentials synchronization||Allows synchronization of credentials between devices.|
|Settings synchronization over metered connections||Allow settings to be synchronized when the Internet connection is metered.|
|Data roaming||Allow roaming between networks when accessing data.|
|File encryption on device||Requires that files on the device are encrypted.|
|User Account Control||Configures how Windows User Account Control works on the device.
For example, you can disable it, or set the level at which it notifies you.
|Network firewall||Enables or disables Windows Firewall.|
|SmartScreen||Enable or disable Windows SmartScreen.|
|Virus protection||Requires that antivirus software must be installed and configured.|
|Virus protection signatures are up to date||Requires that the signature files for the antivirus software on the device must be up to date.|
Windows Information Protection (WIP)
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leaks through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Windows Information Protection (formerly Enterprise data protection) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leaks on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
Configuration Manager Windows Information Protection configuration items manage the list of apps protected by WIP, enterprise network locations, protection level, and encryption settings.
For information about how to configure Windows Information protection with Configuration Manager, see Protect your enterprise data using Windows Information Protection (WIP).