Compliance settings in Microsoft System Center Configuration Manager 2012 provides a unified interface and user experience that allows you to manage the configuration and compliance of servers, laptop computers, desktop computers and mobile devices in your organization. Compliance settings contains tools to help you to assess the compliance of users and client devices with regard to a number of configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates, security settings and mobile devices. Configuration item settings of the type WMI, registry, script and all mobile device settings in Configuration Manager 2012 allow you to automatically remediate noncompliant settings when they are found.
Compliance settings is the new name for Configuration Manager 2007 desired configuration management.
Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define the compliance that you require. This configuration data can be imported from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices defined by Microsoft and other vendors, defined within Configuration Manager, defined externally and then imported into Configuration Manager or new configuration items and configuration baselines can be created by an administrative user.
After a configuration baseline is defined, it can be deployed to devices through collections and evaluated on a schedule. Client devices can have multiple configuration baselines deployed to them, which provides the administrator with a high level of control.
Client devices evaluate their compliance against each deployed configuration baseline and immediately report back the results to the site using state messages and status messages. If a client is not currently connected to the network but has downloaded the configuration items referenced in a deployed configuration baselines, the compliance information will be sent on reconnection.
You can monitor the results of the configuration baseline evaluation compliance from the Deployments node of the Monitoring workspace in the Configuration Manager console to view the most common causes of noncompliance, errors and the number of users and devices affected. You can also run a number of compliance settings reports to find further details, such as which devices are compliant or noncompliant and which element of the configuration baseline is causing a computer to be noncompliant. You can also view compliance evaluation results from Windows clients by using the Configurations tab from Configuration Manager in Windows Control Panel.
You can use compliance settings to support the following business requirements:
- Compare the configuration of desktop
computers, laptop computers, servers, mobile devices in your
enterprise against Best Practices configurations from Microsoft and
other vendors.
- Verify the configuration of provisioned
devices against one or more custom defined configuration baselines
before the computers go into production.
- Identify device or user configurations that
are not authorized by change control procedures.
- Prioritize noncompliance with four levels of
severity (None, Information, Warning and Critical).
- Report compliance with regulatory policies
and in-house security policies.
- Identify security vulnerabilities, as defined
by Microsoft and other software vendors, across your
enterprise.
- Provide the help desk with the means to
detect probable causes for reported incidents and problems by
identifying noncompliant configurations.
- Automatically remediate certain incorrect
settings on computers and mobile devices.
- Remediate noncompliance with software
distribution that targets computers with software packages or
scripts by using a collection that is automatically populated with
computers reporting noncompliance.
- Leverage management products that monitor
Windows events on computers to take automatic action when a
configuration is reported out of compliance.
For example scenarios about how compliance can be implemented to address these requirements, see Example Scenarios for Implementing Compliance Settings in Configuration Manager 2012.
What’s New in Configuration Manager 2012
The following features of compliance settings are new or have been changed since Configuration Manager 2007.
- Configuration Manager 2007 desired
configuration management is now called compliance settings in
Configuration Manager 2012.
- Configuration Manager 2012 provides
a new built-in security role named Compliance Settings Manager.
Administrative users who are members of this role can manage and
deploy configuration items and configuration baselines and view
compliance results.
- An administrative user can create registry
and file system settings by browsing to an existing file, folder or
registry setting on a reference computer.
- Creating configuration baselines has been
simplified.
- Settings can be reused for multiple
configuration items.
- Supports remediation for WMI, registry,
script and all mobile device settings that are noncompliant.
- When you deploy a configuration baseline, you
can specify a compliance threshold for the deployment. If the
compliance is below the specified threshold after a specified date
and time, Configuration Manager 2012 will generate an
alert to notify the administrator.
- The new monitoring features of
Configuration Manager 2012 can be used to monitor
compliance settings and to view the most common causes of
noncompliance, errors and the number of users and devices
affected.
- Configuration baselines can be deployed to
users and devices.
- Compliance settings can be used to manage
mobile devices in the enterprise.
- Configuration item versioning allows you to
view previous versions of configuration items. You can restore or
delete previous versions of configuration items and see the user
names who made changes.
- Configuration items can contain user and
device settings. User settings are evaluated when the user is
logged on. Examples of user settings include registry settings
stored in HKEY CURRENT USER and user-based script settings
configured by an administrative user.
- Improved reports contain rule details,
remediation information and troubleshooting information.
- You can now detect and report conflicting
compliance rules.
- Unlike Configuration Manager 2007,
Configuration Manager 2012 does not support uninterpreted
configuration items. An uninterpreted configuration item is a
configuration item that is imported into compliance settings and
that cannot be interpreted by the Configuration Manager console.
Consequently the configuration item properties cannot be viewed or
edited in the console. Before you import Configuration Packs or
configuration baselines, you must remove uninterpreted
Configuration items in Configuration Manager 2007 before importing
to Configuration Manager 2012.
- You can migrate configuration items and
configuration baselines from Configuration Manager 2007 into
Configuration Manager 2012. During migration,
configuration data is automatically converted into the new
format.