为使用 Configuration Manager 客户端管理的 Windows 台式机和服务器计算机创建自定义配置项目Create custom configuration items for Windows desktop and server computers managed with the Configuration Manager client

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

使用 Configuration Manager 自定义 Windows 台式机和服务器 配置项目,为 Configuration Manager 客户端管理的 Windows 计算机和服务器管理设置。Use the Configuration Manager custom Windows Desktops and Servers configuration item to manage settings for Windows computers and servers that are managed by the Configuration Manager client.

启动向导Start the wizard

  1. 在 Configuration Manager 控制台中,转到“资产和符合性” 工作区,展开“符合性设置” ,再选择“配置项目” 节点。In the Configuration Manager console, go to the Assets and Compliance workspace, expand Compliance Settings, and select the Configuration Items node.

  2. 在功能区的“主页” 选项卡上,选择“创建” 组中的“创建配置项目” 。On the Home tab of the ribbon, in the Create group, select Create Configuration Item.

  3. 在“创建配置项目向导” 的“常规” 页面上,指定配置项目的名称和可选描述。On the General page of the Create Configuration Item Wizard, specify a name, and optional description for the configuration item.

  4. 在“指定要创建的配置项目的类型” 下,选择“Windows 台式机和服务器(自定义)” 。Under Specify the type of configuration item that you want to create, select Windows Desktops and Servers (custom).

    提示

    如果要提供检查应用程序是否存在的检测方法设置,请选择“此配置文件包含应用程序设置” 。If you want to supply detection method settings that check for the existence of an application, select This configuration file contains application settings.

  5. 选择“类别” 以创建和分配类别,这样有助于在 Configuration Manager 控制台中搜索和筛选配置项目。To help you search and filter configuration items in the Configuration Manager console, select Categories to create and assign categories.

检测方法Detection methods

使用此过程可为配置项目提供检测方法信息。Use this procedure to provide detection method information for the configuration item.

备注

只有在向导的“常规” 页上选中“此配置项目包含应用程序设置” 后,此信息才适用。This information only applies if you select This configuration item contains application settings on the General page of the wizard.

Configuration Manager 中的检测方法包含用于检测应用程序是否在计算机上安装的规则。A detection method in Configuration Manager contains rules that are used to detect whether an application is installed on a computer. 此检测发生之前,客户端会针对配置项目评估其符合性。This detection occurs before the client assesses its compliance for the configuration item. 若要检测是否安装了应用程序,则可以检测到该应用程序的 Windows Installer 文件是否存在,请使用自定义脚本,或者选择 始终假设安装应用程序 来评估法规遵从性而不考虑是否安装了该应用程序的配置项目。To detect whether an application is installed, you can detect the presence of a Windows Installer file for the application, use a custom script, or select Always assume application is installed to assess the configuration item for compliance regardless of whether the application is installed.

使用 Windows Installer 文件检测应用程序安装的具体步骤To detect an application installation by using the Windows Installer file

  1. 在“创建配置项目向导” 的“检测方法” 页上,选择“使用 Windows Installer 检测” 选项。On the Detection Methods page of the Create Configuration Item Wizard, select the option to Use Windows Installer detection.

  2. 单击“打开” ,转到要检测的 Windows Installer (.msi) 文件,再选择“打开” 。Select Open, browse to the Windows Installer (.msi) file that you want to detect, and then select Open.

  3. “版本”字段自动填充 Windows Installer 文件的版本号 。The Version field automatically populates with the version number of the Windows Installer file. 如果显示的值不正确,请在此处输入新版本号。If the displayed value is incorrect, enter a new version number here.

  4. 若要检测计算机上的所有用户配置文件,请选中“此应用程序是针对一个或多个用户进行安装” 。If you want to detect each user profile on the computer, select This application is installed for one or more users.

若要检测特定应用程序和部署类型To detect a specific application and deployment type

  1. 在“创建配置项目向导” 的“检测方法” 页上,选择“检测特定应用程序和部署类型” 。On the Detection Methods page of the Create Configuration Item Wizard, select to Detect a specific application and deployment type. 选择“选择” 。Choose Select.

  2. 在“指定应用程序” 对话框中,选择要检测的应用程序和关联部署类型。In the Specify Application dialog box, select the application and an associated deployment type that you want to detect.

若要使用自定义脚本检测应用程序安装To detect an application installation by using a custom script

  1. 在“创建配置项目向导” 的“检测方法” 页上,选择“使用自定义脚本来检测此应用程序” 选项。On the Detection Methods page of the Create Configuration Item Wizard, select the option to Use a custom script to detect this application.

  2. 在列表中,选择脚本语言。In the list, select the language of the script. 从下面的格式中进行选择:Choose from the following formats:

    • VBScriptVBScript

    • JScriptJScript

    • PowerShellPowerShell

      备注

      从版本 1810 开始,当 Windows PowerShell 脚本作为检测方法运行时,Configuration Manager 客户端会使用 -NoProfile 参数调用 PowerShell。Starting in version 1810, when a Windows PowerShell script runs as a detection method, the Configuration Manager client calls PowerShell with the -NoProfile parameter. 此选项在没有配置文件的情况下启动 PowerShell。This option starts PowerShell without profiles. PowerShell 配置文件是在 PowerShell 启动时运行的脚本。A PowerShell profile is a script that runs when PowerShell starts.

  3. 选择“打开” ,转到要使用的脚本,再选择“打开” 。Select Open, browse to the script that you want to use, and then select Open.

指定支持的平台Specify supported platforms

在“创建配置项目向导” 的“支持的平台” 页上,选择要为其评估配置项目符合性的 Windows 版本,或单击“全选” 。On the Supported Platforms page of the Create Configuration Item Wizard, select the Windows versions on which you want the configuration item to be assessed for compliance, or choose Select all.

也可以手动指定 Windows 的版本 。You can also Specify the version of Windows manually. 选择“添加”并指定 Windows 内部版本号的每个部分 。Select Add and specify each part of the Windows build number.

备注

指定 Windows Server 2016 时,对 All Windows Server 2016 and higher 64-bit)的选择还包括 Windows Server 2019。When specifying Windows Server 2016, the selection for All Windows Server 2016 and higher 64-bit) also includes Windows Server 2019. 若要仅指定 Windows Server 2016,请使用“手动指定 Windows 版本选项” 。To specify Windows Server 2016 only, use the option to Specify the version of Windows manually.

配置设置Configure settings

使用此过程可在配置项目中配置设置。Use this procedure to configure the settings in the configuration item.

设置表示业务或技术用于评估客户端设备上的符合性的条件。Settings represent the business or technical conditions that are used to assess compliance on client devices. 你可以配置新设置,或浏览到引用计算机上的现有设置。You can configure a new setting or browse to an existing setting on a reference computer.

  1. 在“创建配置项目向导” 的“设置” 页上,选择“新建” 。On the Settings page of the Create Configuration Item Wizard, select New.

  2. 在上 常规 选项卡上 创建设置 对话框框中,提供以下信息:On the General tab of the Create Setting dialog box, provide the following information:

    • 名称:输入设置的唯一名称。Name: Enter a unique name for the setting. 最多可以使用 256 个字符。You can use a maximum of 256 characters.

    • 描述:输入设置的描述。Description: Enter a description for the setting. 最多可以使用 256 个字符。You can use a maximum of 256 characters.

    • 设置类型:在列表中,选择和配置要用于此设置的以下设置类型之一:Setting type: In the list, choose and configure one of the following setting types to use for this setting:

    • 数据类型:选择条件在用于评估设置之前返回数据的格式。Data type: Choose the format in which the condition returns the data before it's used to assess the setting. 不是所有设置类型都有对应的“数据类型” 列表显示。The Data type list isn't displayed for all setting types.

      提示

      “浮点” 数据类型仅支持小数点后 3 个数字。The Floating point data type supports only three digits after the decimal point.

  3. 配置此设置下的更多详情 设置类型 列表。Configure additional details about this setting under the Setting type list. 可配置的项目因已选择的设置类型而异。The items you can configure vary depending on the setting type you've selected.

  4. 单击“确定” 以保存设置,并关闭“创建设置” 对话框。Select OK to save the setting and close the Create Setting dialog box.

Active Directory 查询Active Directory query

  • LDAP 前缀:指定 Active Directory 域服务查询的有效前缀,以在客户端计算机上评估符合性。LDAP prefix: Specify a valid prefix to the Active Directory Domain Services query to assess compliance on client computers. 若要执行全局编录搜索,请使用 LDAP://GC://To do a global catalog search, use either LDAP:// or GC://.

  • 可分辨名称 (DN) :指定在客户端计算机上评估其符合性的 Active Directory 域服务对象的可分辨名称。Distinguished Name (DN): Specify the distinguished name of the Active Directory Domain Services object that is assessed for compliance on client computers.

  • 搜索筛选器:指定可选的 LDAP 筛选器以缩小 Active Directory 域服务查询的结果范围,从而在客户端计算机上评估符合性。Search filter: Specify an optional LDAP filter to refine the results from the Active Directory Domain Services query to assess compliance on client computers. 要从查询返回所有结果,请输入 (objectclass=*)To return all results from the query, enter (objectclass=*).

  • 搜索范围:指定在 Active Directory 域服务中的搜索范围Search scope: Specify the search scope in Active Directory Domain Services

    • 基础:仅查询指定对象Base: Queries only the specified object

    • 一级:这一版 Configuration Manager 不使用此选项One Level: This option isn't used in this version of Configuration Manager

    • 子树:查询指定对象及其在目录中的完整子树Subtree: Queries the specified object and its complete subtree in the directory

  • 属性:指定用于在客户端计算机上评估符合性的 Active Directory 域服务对象的属性。Property: Specify the property of the Active Directory Domain Services object that's used to assess compliance on client computers.

    例如,若要查询用于存储用户错误输入密码次数的 Active Directory 属性,请在此字段中输入 badPwdCountFor example, if you want to query the Active Directory property that stores the number of times a user incorrectly enters a password, enter badPwdCount in this field.

  • 查询:显示根据“LDAP 前缀” 、“可分辨名称 (DN)” 、“搜索筛选器” (若已指定)和“属性” 中的条目构造而成的查询。Query: Displays the query constructed from the entries in LDAP prefix, Distinguished name (DN), Search Filter (if specified), and Property.

程序集Assembly

程序集是可在应用程序之间共享的一段代码。An assembly is a piece of code that can be shared between applications. 程序集可以具有 .dll 或 .exe 文件扩展名。Assemblies can have the file name extension .dll or .exe. 全局程序集缓存是客户端计算机上的文件夹 %SystemRoot%\AssemblyThe global assembly cache is the folder %SystemRoot%\Assembly on client computers. 此缓存是 Windows 存储所有共享程序集的位置。This cache is where Windows stores all shared assemblies.

  • 程序集名称: 指定要搜索的程序集对象的名称。Assembly name: Specifies the name of the assembly object that you want to search for. 名称不能与相同类型的其他程序集对象相同。The name can't be the same as other assembly objects of the same type. 首先在全局程序集缓存中注册它。First register it in the global assembly cache. 程序集名称最多可以含有 256 个字符。The assembly name can be up to 256 characters long.

文件系统File system

  • 类型:在列表中,选择要搜索“文件” 还是“文件夹” 。Type: In the list, select whether you want to search for a File or a Folder.

  • 路径:指定客户端计算机上的指定文件或文件夹的路径。Path: Specify the path of the specified file or folder on client computers. 你可以在路径中指定系统环境变量和 %USERPROFILE% 环境变量。You can specify system environment variables and the %USERPROFILE% environment variable in the path.

    备注

    如果在“路径”或“文件或文件夹名称”框中使用 %USERPROFILE% 环境变量,则 Configuration Manager 客户端将搜索客户端计算机上的所有用户配置文件 。If you use the %USERPROFILE% environment variable in the Path or File or folder name boxes, the Configuration Manager client searches all user profiles on the client computer. 此行为可能导致它查找文件或文件夹的多个实例。This behavior could result in it finding multiple instances of the file or folder.

    如果符合性设置无权访问指定路径,便会生成发现错误。If compliance settings don't have access to the specified path, a discovery error is generated. 此外,如果您要搜索的文件当前正在使用,则生成发现错误。Additionally, if the file you are searching for is currently in use, a discovery error is generated.

    提示

    选择“浏览”以配置基准计算机上的值设置 。Select Browse to configure the setting from values on a reference computer.

  • 文件或文件夹名称:指定要搜索的文件或文件夹对象的名称。File or folder name: Specify the name of the file or folder object to search for. 你可以在文件或文件夹名称中指定系统环境变量和 %USERPROFILE% 环境变量。You can specify system environment variables and the %USERPROFILE% environment variable in the file or folder name. 还可以在文件名中使用通配符 *?You can also use the wildcards * and ? in the file name.

    备注

    如果指定文件名或文件夹名称并使用通配符,这样的组合可能会生成许多结果。If you specify a file or folder name and use wildcards, this combination might produce a high number of results. 这还可能会导致客户端计算机上的资源使用率高,并导致在向 Configuration Manager 报告结果时网络流量高。It could also result in high resource use on the client computer, and high network traffic when reporting results to Configuration Manager.

  • 包括子文件夹:还可以搜索指定路径下面的所有子文件夹。Include subfolders: Also search any subfolders under the specified path.

  • 此文件或文件夹与 64 位应用程序相关联:如果启用,则仅搜索 64 位计算机上的 64 位文件位置,如 %ProgramFiles%This file or folder is associated with a 64-bit application: If enabled, only search 64-bit file locations such as %ProgramFiles% on 64-bit computers. 如果未启用此选项,则会同时搜索 64 位位置和 32 位位置,如 %ProgramFiles(x86)%If this option isn't enabled, search both 64-bit locations and 32-bit locations such as %ProgramFiles(x86)%.

    备注

    如果在同一 64 位计算机上的 64 位和 32 位系统文件位置中存在相同的文件或文件夹,则全局条件会发现多个文件。If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit computer, multiple files are discovered by the global condition.

    “文件系统” 设置类型不支持在“路径” 框中指定网络共享的 UNC 路径。The File system setting type doesn't support specifying a UNC path to a network share in the Path box.

IIS 元数据库IIS metabase

  • 元数据库路径:指定 Internet Information Services (IIS) 元数据库的有效路径。Metabase path: Specify a valid path to the Internet Information Services (IIS) metabase. 例如,/LM/W3SVC/For example, /LM/W3SVC/.

  • 属性 ID:指定 IIS 元数据库设置的数值属性。Property ID: Specify the numeric property of the IIS metabase setting.

注册表项Registry key

  • 配置单元:选择要搜索的注册表配置单元Hive: Select the registry hive that you want to search

    提示

    选择“浏览”以配置基准计算机上的值设置 。Select Browse to configure the setting from values on a reference computer. 若要浏览到远程计算机上的注册表项,请在远程计算机上启用“远程注册表”服务 。To browse to a registry key on a remote computer, enable the Remote Registry service on the remote computer.

  • 密钥:指定要搜索的注册表项名称。Key: Specify the registry key name that you want to search for. 使用格式 key\subkeyUse the format key\subkey.

  • 此注册表项与 64 位应用程序相关联:在正在运行 64 位版本 Windows 的客户端上,除了搜索 32 位注册表项外,还搜索 64 位注册表项。This registry key is associated with a 64-bit application: Search 64-bit registry keys in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows.

    备注

    如果在同一 64 位计算机上的 64 位和 32 位注册表位置中存在相同的注册表项,则全局条件会发现两个注册表项。If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.

注册表值Registry value

  • 配置单元:选择要搜索的注册表配置单元。Hive: Select the registry hive to search.

    提示

    选择“浏览”以配置基准计算机上的值设置 。Select Browse to configure the setting from values on a reference computer. 若要浏览到远程计算机上的注册表项值,请在远程计算机上启用“远程注册表”服务 。To browse to a registry value on a remote computer, enable the Remote Registry service on the remote computer. 还需具有管理员权限才能访问远程计算机。You also need administrator permissions to access the remote computer.

  • 密钥:指定要搜索的注册表项名称。Key: Specify the registry key name to search for. 使用格式 key\subkeyUse the format key\subkey.

  • :指定必须包含在指定注册表项中的值。Value: Specify the value that must be contained within the specified registry key.

  • 此注册表项与 64 位应用程序相关联:在正在运行 64 位版本 Windows 的客户端上,除了搜索 32 位注册表项外,还搜索 64 位注册表项。This registry key is associated with a 64-bit application: Search the 64-bit registry keys in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows.

    备注

    如果在同一 64 位计算机上的 64 位和 32 位注册表位置中存在相同的注册表项,则全局条件会发现两个注册表项。If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.

脚本Script

脚本返回的值用于评估全局条件的符合性。The value returned by the script is used to assess the compliance of the global condition. 例如,使用 VBScript 时,可以使用命令“WScript.Echo Result” 将 Result 变量值返回给全局条件。For example, when using VBScript, you could use the command WScript.Echo Result to return the Result variable value to the global condition.

  • 发现脚本:选择“添加脚本”,然后输入或浏览到脚本 。Discovery script: Select Add Script, and enter or browse to a script. 此脚本用于查找值。This script is used to find the value. 您可以使用 Windows PowerShell、 VBScript、 或 Microsoft JScript 脚本。You can use Windows PowerShell, VBScript, or Microsoft JScript scripts.

  • 修正脚本(可选) :选择“添加脚本”,然后输入或浏览到脚本 。Remediation script (optional): Select Add Script, and enter or browse to a script. 此脚本用于修正不符合的设置值。This script is used to remediate non-compliant setting values. 您可以使用 Windows PowerShell、 VBScript、 或 Microsoft JScript 脚本。You can use Windows PowerShell, VBScript, or Microsoft JScript scripts.

  • 使用登录用户凭据运行脚本:如果你启用此选项,脚本会在使用登录用户凭据的客户端计算机上运行。Run scripts by using the logged on user credentials: If you enable this option, the script runs on client computers that use the credentials of the signed-in user.

备注

从版本 1810 开始,当将 Windows PowerShell 脚本作为发现或修正脚本时,Configuration Manager 客户端会使用 -NoProfile 参数调用 PowerShell。Starting in version 1810, when you use Windows PowerShell as a discovery or remediation script, the Configuration Manager client calls PowerShell with the -NoProfile parameter. 此选项在没有配置文件的情况下启动 PowerShell。This option starts PowerShell without profiles. PowerShell 配置文件是在 PowerShell 启动时运行的脚本。A PowerShell profile is a script that runs when PowerShell starts.

SQL 查询SQL query

  • SQL Server 实例:选择是要对默认实例、所有实例,还是对指定数据库实例名称运行 SQL 查询。SQL Server instance: Choose whether you want the SQL query to run on the default instance, all instances, or a specified database instance name.

    备注

    实例名称必须引用 SQL Server 的本地实例。The instance name must refer to a local instance of SQL Server. 为了引用群集的 SQL Server 实例,应该使用脚本设置。To refer to a clustered SQL server instance, you should use a script setting.

  • 数据库:指定要对其运行 SQL 查询的 Microsoft SQL Server 数据库的名称。Database: Specify the name of the Microsoft SQL Server database against which you want to run the SQL query.

  • :指定用于评估全局条件的符合性的 Transact-SQL 语句返回的列名。Column: Specify the column name returned by the Transact-SQL statement that's used to assess the compliance of the global condition.

  • Transact-SQL 语句:指定要用于全局条件的完整 SQL 查询。Transact-SQL statement: Specify the full SQL query you want to use for the global condition. 若要使用现有的 SQL 查询,请选择“打开” 。To use an existing SQL query, select Open.

    重要

    SQL 查询设置不支持任何修改数据库的 SQL 命令。SQL Query settings don't support any SQL commands that modify the database. 只能使用从数据库读取信息的 SQL 命令。You can only use SQL commands that read information from the database.

WQL 查询WQL query

  • 命名空间:指定客户端计算机上要评估其符合性的 WMI 命名空间。Namespace: Specify the WMI namespace that's assessed for compliance on client computers. 默认值为 root\cimv2The default value is root\cimv2.

  • :在上述命名空间中指定目标 WMI 类。Class: Specify the target WMI class in the above namespace.

  • 属性:在上述类中指定目标 WMI 属性。Property: Specify the target WMI property in the above class.

  • WQL 查询 WHERE 子句:指定有限制的子句以减少结果。WQL query WHERE clause: Specify a qualifying clause to reduce the results. 例如,若要只查询 Win32_Service 类中的 DHCP 服务,WHERE 子句可以是 Name = 'DHCP' and StartMode = 'Auto'For example, to only query the DHCP service in the Win32_Service class, the WHERE clause could be Name = 'DHCP' and StartMode = 'Auto'.

XPath 查询XPath query

  • 路径:指定客户端计算机上用于评估符合性的 .xml 文件的路径。Path: Specify the path of the .xml file on client computers that is used to assess compliance. Configuration Manager 支持在路径名称中使用所有 Windows 系统环境变量和 %USERPROFILE% 用户变量。Configuration Manager supports the use of all Windows system environment variables and the %USERPROFILE% user variable in the path name.

  • XML 文件名:指定在上述路径中包含 XML 查询的文件名。XML file name: Specify the file name containing the XML query in the above path.

  • 包括子文件夹:启用此选项可以搜索指定路径下的任何子文件夹。Include subfolders: Enable this option to search any subfolders under the specified path.

  • 此文件与 64 位应用程序相关联:在运行 64 位版本 Windows 的 Configuration Manager 客户端上,除了搜索 32 位系统文件位置 %Windir%\Syswow64,还可以搜索 64 位系统文件位置 %Windir%\System32This file is associated with a 64-bit application: Search the 64-bit system file location %Windir%\System32 in addition to the 32-bit system file location %Windir%\Syswow64 on Configuration Manager clients that are running a 64-bit version of Windows.

  • XPath 查询:指定有效的完整 XML 路径语言 (XPath) 查询。XPath query: Specify a valid full XML path language (XPath) query.

  • 命名空间:标识要在 XPath 查询期间使用的命名空间和前缀。Namespaces: Identify namespaces and prefixes to be used during the XPath query.

如果你尝试发现加密的 .xml 文件,符合性设置会查找文件,但 XPath 查询不会生成任何结果。If you attempt to discover an encrypted .xml file, compliance settings find the file, but the XPath query produces no results. Configuration Manager 客户端未生成错误。The Configuration Manager client doesn't generate an error.

如果 XPath 查询无效,设置会在客户端计算机上被评估为不符合。If the XPath query isn't valid, the setting is evaluated as noncompliant on client computers.

配置符合性规则Configure compliance rules

符合性规则指定定义配置项目的符合性的条件。Compliance rules specify the conditions that define the compliance of a configuration item. 设置必须具有至少一个符合性规则,才能对它评估符合性。Before a setting can be evaluated for compliance, it must have at least one compliance rule. WMI、 注册表和脚本设置可以修正找到要不符合要求的值。WMI, registry, and script settings let you remediate values that are found to be noncompliant. 您可以创建新的规则或浏览到要在其中选择规则任何配置项目中的现有设置。You can create new rules or browse to an existing setting in any configuration item to select rules in it.

若要创建符合性规则To create a compliance rule

  1. 在“创建配置项目向导” 的“符合性规则” 页上,选择“新建” 。On the Compliance Rules page of the Create Configuration Item Wizard, select New.

  2. Create Rule 对话框框中,提供以下信息:In the Create Rule dialog box, provide the following information:

    • 名称:输入符合性规则的名称。Name: Enter a name for the compliance rule.

    • 描述:输入符合性规则的说明。Description: Enter a description for the compliance rule.

    • 选定的设置:选择“浏览” 以打开“选择设置” 对话框。Selected setting: Select Browse to open the Select Setting dialog box. 选择要为其定义规则的设置,或单击“新建设置” 。Select the setting that you want to define a rule for, or select New Setting. 完成后,选择“选择” 。When you're finished, choose Select.

      提示

      如要查看当前选定设置的相关信息,请选择“属性” 。To view information about the currently selected setting, select Properties.

    • 规则类型:选择要使用的符合性规则的类型:Rule type: Select the type of compliance rule that you want to use:

      • :创建可以将配置项目返回的值与指定的值进行比较的规则。Value: Create a rule that compares the value returned by the configuration item against a value that you specify. 有关其他设置的详细信息,请参阅值规则For more information on the additional settings, see Value rules.

      • 现有:创建根据设置是否存在于客户端设备上或根据找到它的次数来评估设置的规则。Existential: Create a rule that evaluates the setting depending on whether it exists on a client device or on the number of times it's found. 有关其他设置的详细信息,请参阅现有规则For more information on the additional settings, see Existential rules.

  3. 单击“确定” ,以关闭“创建规则” 对话框。Select OK to close the Create Rule dialog box.

值规则Value rules

  • 属性:要检查的对象的属性取决于选定的设置。Property: The property of the object to check varies depending upon the selected setting. 可用属性因设置类型而异。The available properties vary based on the type of setting.

  • 设置必须符合以下规则:可用的规则或权限因设置类型而异。The setting must comply with the following...: The available rules or permissions vary based on the type of setting.

  • 在支持时修正非符合性规则:如果希望 Configuration Manager 自动修正不符合性规则,请选择此选项。Remediate noncompliant rules when supported: Select this option for Configuration Manager to automatically remediate non-compliant rules. Configuration Manager 通过以下规则类型支持此操作:Configuration Manager supports this action with the following rule types:

    • 注册表值:如果不符合,客户端将设置注册表值。Registry value: If it's noncompliant, the client sets the registry value. 如果不存在,客户端将创建该值。If it doesn't exist, the client creates the value.

    • 脚本:客户端使用通过设置指定的修正脚本。Script: The client uses the remediation script that you specified with the setting.

    • WQL 查询WQL query

    重要

    仅当规则运算符设置为“等于” 时,才能修正非符合性规则。You can only remediate noncompliant rules when the rule operator is set to Equals.

  • 在找不到此设置实例时报告不相容:如果在客户端计算机上找不到此设置,请为配置项目启用此选项以报告不符合项。Report noncompliance if this setting instance is not found: If this setting isn't found on client computers, enable this option for the configuration item to report noncompliance.

  • 报表的不符合性严重程度:指定不符合此符合性规则时报告的严重性级别(在 Configuration Manager 报表中)。Noncompliance severity for reports: Specify the severity level that's reported in Configuration Manager reports if this compliance rule fails. 可用的严重性级别如下:The following severity levels are available:

    • None
    • 信息Information
    • 警告Warning
    • 严重Critical
    • 严重事件:不符合此符合性规则的计算机将报告故障严重性“严重” 。Critical with event: Computers that fail this compliance rule report a failure severity of Critical. 应用程序事件日志中也会以 Windows 事件的形式记录此严重性级别。This severity level is also logged as a Windows event in the application event log.

现有规则Existential rules

备注

显示的选项可能视为其配置规则的设置类型而异。The options shown might vary depending on the setting type you're configuring a rule for.

  • 此设置必须存在于客户端设备The setting must exist on client devices

  • 设置不得存在于客户端设备The setting must not exist on client devices

  • 该设置会发生以下次数:The setting occurs the following number of times:

  • 报表的不符合性严重程度:指定不符合此符合性规则时报告的严重性级别(在 Configuration Manager 报表中)。Noncompliance severity for reports: Specify the severity level that's reported in Configuration Manager reports if this compliance rule fails. 可用的严重性级别如下:The following severity levels are available:

    • None
    • 信息Information
    • 警告Warning
    • 严重Critical
    • 严重事件:不符合此符合性规则的计算机将报告故障严重性“严重” 。Critical with event: Computers that fail this compliance rule report a failure severity of Critical. 应用程序事件日志中也会以 Windows 事件的形式记录此严重性级别。This severity level is also logged as a Windows event in the application event log.

跟踪配置项目修正Track configuration item remediations

(从版本 2002 中引入) (Introduced in version 2002)

从 Configuration Manager 版本 2002 开始,可在配置项目符合性规则上“跟踪修正历史记录(如支持)” 。Starting in Configuration Manager version 2002, you can Track remediation history when supported on your configuration item compliance rules. 启用此选项后,客户端上发生的配置项目的任何修正都会生成状态消息。When this option is enabled, any remediation that occurs on the client for the configuration item generates a state message. 历史记录存储在 Configuration Manager 数据库中。The history is stored in the Configuration Manager database.

使用公共视图“v_CIRemediationHistory”生成自定义报表以查看修正历史记录 。Build custom reports to view the remediation history by using the public view v_CIRemediationHistory. RemediationDate 列是客户端执行修正的时间(以 UTC 为单位)。The RemediationDate column is the time, in UTC, the client ran the remediation. ResourceID 用于标识设备。The ResourceID identifies the device. 使用“v_CIRemediationHistory”视图生成自定义报表有助于 :Building custom reports with the v_CIRemediationHistory view helps you:

  • 确定修正脚本可能存在的问题Identify possible issues with your remediation scripts
  • 找出修正的趋势,如每个评估周期中始终不符合要求的客户。Find trends in remediations such as a client that is consistently non-compliant each evaluation cycle.

启用“跟踪修正历史记录(如支持)”选项Enable the Track remediation history when supported option

  • 对于新配置项目,在向导的“设置”页面上创建新设置时,请在“符合性规则”选项卡中添加“跟踪修正历史记录(如支持)”选项 。For new configuration items, add the Track remediation history when supported option in the Compliance Rules tab when you create a new setting on the wizard's Settings page.
  • 对于现有配置项,请在配置项目“属性”中的“符合性规则”选项卡上添加“跟踪修正历史记录(如支持)”选项 。For existing configuration items, add the Track remediation history when supported option on the Compliance Rules tab in the configuration item Properties. 版本 2002 中的“跟踪修正历史记录(如支持)” Track remediation history when supported in version 2002

后续步骤Next steps

创建配置基线Create configuration baselines