管理具有 Configuration Manager 用戶端之裝置上合規性的一般工作Common tasks for managing compliance on devices with the Configuration Manager client

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本文透過引導您進行您可能遇到的一些常見案例,為您簡介使用 Configuration Manager 的相容性設定。This article gives you an introduction to using Configuration Manager compliance settings by guiding you through some common scenarios that you might come across.

若您已熟悉合規性設定,您可以在由 Configuration Manager 用戶端管理之裝置的設定項目中找到所用全部功能的詳細資訊。If you're already familiar with compliance settings, you can find detailed information about all the features you use in Configuration items for devices managed with the Configuration Manager client.

開始之前,請先閱讀開始使用合規性設定以了解合規性設定的一些基本概念。Before you start, read Get started with compliance settings to learn some basics about compliance settings. 如需所需必要條件的詳細資訊,請參閱規劃和設定合規性設定Read Plan for and configure compliance settings for information about necessary prerequisites.

每個案例的通用資訊General information for each scenario

在每個案例中,您會建立執行特定工作的設定項目。In each scenario, you'll create a configuration item that performs a specific task. 若要開啟 [建立設定項目精靈] 並且啟動,請採取下列步驟:To open the Create Configuration Item Wizard and get started, take these steps:

  1. 在 Configuration Manager 主控台中,選取 [資產與合規性] > [合規性設定] > [設定項目] 。In the Configuration Manager console, select Assets and Compliance > Compliance Settings > Configuration Items.

  2. 在 [首頁] 索引標籤的 [建立] 群組中,選取 [建立設定項目] 。On the Home tab, in the Create group, select Create Configuration Item.

  3. 在 [建立設定項目精靈] 的 [一般] 頁面上 (如下列螢幕擷取畫面所示),指定設定項目的名稱與描述。On the General page of the Create Configuration Item Wizard, shown in the following screenshot, specify a name and description for the configuration item. 然後為本文中的每個案例選擇適當的設定項目類型。Then choose the appropriate configuration item type for each scenario in this article.

    [建立設定項目精靈] 的 [一般] 頁面

案例:停用 Windows 10 裝置上的藍牙Scenario: Disable Bluetooth on Windows 10 devices

在此案例中,您的安全性部門發現裝置上的藍牙功能可作為將公司機密資訊傳送到公司外部的方式。In this scenario, your security department has determined that the Bluetooth capability on devices could be used to transmit sensitive corporate information outside the company. 您最近將所有電腦都升級為 Windows 10。You've recently upgraded all your computers to Windows 10. 您決定停用這些裝置上的藍牙。You decide to disable Bluetooth on these devices.

  1. 在 [建立設定項目精靈] 的 [一般] 頁面上,選取 [Windows 10] 設定項目類型,然後選取 [下一步] 。On the General page of the Create Configuration Item Wizard, select the Windows 10 configuration item type, and then select Next.

  2. 在精靈的 [支援的平台] 頁面上,選取所有 Windows 10 平台。On the Supported Platforms page of the wizard, select all Windows 10 platforms.

  3. 在 [裝置設定] 頁面上,選取 [裝置] ,然後選取 [下一步] 。On the Device Settings page, select Device, and then select Next.

  4. 在 [裝置] 頁面上,選取 [禁止] 作為 [藍牙] 的值。On the Device page, select Prohibited as the value for Bluetooth.

  5. 選取 [補救不相容的設定] 確保變更套用至所有 Windows 10 裝置。Select Remediate noncompliant settings to ensure the change is applied to all Windows 10 devices.

  6. 完成精靈以建立設定項目。Complete the wizard to create the configuration item.

您現在可以使用以 Configuration Manager 建立及部署設定基準的一般工作文章中的資訊,協助您將已建立的設定部署至裝置。You can now use the information in the Common tasks for creating and deploying configuration baselines with Configuration Manager article to help you deploy the configuration you've created to devices.

案例:補救 Windows 桌上型電腦上的不正確登錄值Scenario: Remediate an incorrect registry value on Windows desktop computers

注意

在執行 Configuration Manager 用戶端的 Mac 電腦上 ,有兩個評估相容性選項:On Mac computers running the Configuration Manager client, you have two options for assessing compliance:

  • 評估 Mac OS X 喜好設定 (plist) 檔案。Evaluate a Mac OS X preferences (plist) file.
  • 使用自訂指令碼,並評估指令碼所傳回的結果。Use a custom script and evaluate the results returned by the script.

如需詳細資訊,請參閱如何為 Configuration Manager 用戶端所管理的 Mac OS X 裝置建立設定項目For more information, see How to create configuration items for Mac OS X devices managed with the Configuration Manager client.

在此案例中,您發現您所管理的某些 Windows 8.1 電腦上未正確地執行重要的企業營運應用程式。In this scenario, you discover that an important line-of-business app doesn't run correctly on some Windows 8.1 computers that you manage. 您發現這是因為某些電腦上名為 HKEY_LOCAL_MACHINE\SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1 的登錄機碼值設定為 [0] 。You determine that this is because a registry key named HKEY_LOCAL_MACHINE\SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1 is set to a value of 0 on some computers. 若要讓企業營運應用程式成功執行,此值必須設定為 [1] 。For the line-of-business app to run successfully, this value needs to be set to 1.

在此程序中,您將建立監視並自動補救所找到之任何不正確登錄機碼值的設定項目。In this procedure, you'll create a configuration item that monitors for and automatically remediates any incorrect registry key values that are found.

  1. 在 [建立設定項目精靈] 的 [一般] 頁面上,選取 [Windows 桌面或伺服器 (自訂)] 設定項目類型,然後選取 [下一步] 。On the General page of the Create Configuration Item Wizard, select the Windows Desktops and Servers (custom) configuration item type, and then select Next.

  2. 在精靈的 支援的平台 頁面上,選取 「Windows 8.1」 (確保設定項目僅套用至受影響的電腦)。On the Supported Platforms page of the wizard, select Windows 8.1 (to ensure the configuration item applies only to affected computers).

  3. 在 [設定] 頁面上,選取 [新增] 以建立新設定。On the Settings page, select New to create a new setting.

  4. 在 [建立設定] 對話方塊的 [一般] 索引標籤上,設定下列設定:On the General tab of the Create Setting dialog box, configure these settings:

    • 名稱 > 設定範例Name > Example setting

    • 設定類型 > 登錄值Setting type > Registry value

    • 資料類型 > 整數 (因為值只包含數字)Data type > Integer (because the value contains a number only)

    • Hive > HKEY_LOCAL_MACHINEHive > HKEY_LOCAL_MACHINE

    • 機碼 > SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1Key > SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1

    • > 1 (必要值)Value > 1 (the required value)

  5. 在 [建立設定] 對話方塊的 [合規性規則] 索引標籤上,選取 [新建] 。On the Compliance Rules tab of the Create Setting dialog box, select New. 在 [建立規則] 對話方塊中,設定下列設定:In the Create Rule dialog box, configure these settings:

    • 名稱 > 範例規則Name > Example Rule

    • 選取的設定 > 確認選取的設定為 [範例設定] 。Selected setting > Verify that the selected setting is Example setting.

    • 規則類型 > Rule type > Value

    • 設定必須符合下列規則 > 確認設定名稱正確,並將選項設定為指定設定值必須等於 1The setting must comply with the following rule > Verify that the setting name is correct and configure the option to specify that the setting value must equal 1.

    • 支援時補救不相容的規則 >選取此核取方塊,以確保 Configuration Manager 在值不正確時會重設正確的登錄機碼值。Remediate noncompliant rules when supported > Select this check box to ensure that Configuration Manager will reset the registry key value to the correct value if it's incorrect.

  6. 完成精靈以建立設定項目。Complete the wizard to create the configuration item.

您現在可以使用建立及部署設定基準的一般工作文章中的資訊,協助您將已建立的設定部署至裝置。You can now use the information in the Common tasks for creating and deploying configuration baselines article to help you deploy the configuration you've created to devices.

後續步驟Next steps

建立和部署設定基準Create and deploy configuration baselines