How to Create Windows Configuration Items for Compliance Settings in Configuration Manager 2012

Updated: May 1, 2011

Applies To: System Center Configuration Manager 2012

Configuration items in Microsoft System Center Configuration Manager 2012 define configurations that you want to manage and assess for compliance on client computers. Configuration items can be one of four types:

  • Application configuration item – Used to determine compliance for an application. This can include whether the application is installed as well as details about its configuration.

  • Operating system configuration item – Used to determine compliance for settings relating to the operating system and its configuration.

  • Software updates configuration item - Software updates configuration items are automatically created when you download software updates with the Software Updates feature. You do not create or see these configuration items in the Compliance Settings node, but you can select them when you define configuration baselines.

  • General configuration item – Used to determine compliance for mobile devices. For more information about creating configuration items for mobile devices, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager 2012.

There are four different ways to create a new configuration item in the Configuration Manager console:

  • Duplicate - Create a duplicate configuration item from the Configuration Items node. This approach is appropriate if you want an exact copy of an existing configuration item to use as your starting point, but you want to modify it to create an independent configuration item from the original. To create a duplicate of a configuration item, select a configuration item in the Configuration Items node and then, in the Home tab, in the Configuration Item group, click Copy.

    ImportantImportant
    When you create a duplicate configuration baseline or configuration item, the duplicate does not retain a relationship to the original configuration data. Therefore, if the original configuration data is upgraded, any revisions are not passed to the duplicate configuration baseline or configuration item.
  • Create a child configuration item - Create a child configuration item from the Configuration Items node. This approach is appropriate if you want a configuration item that continues to inherit the properties of an existing configuration item but refines them with more detailed configuration. For more information about how to create a child configuration item, see How to Create Child Configuration Items in Configuration Manager 2012.

    ImportantImportant
    When you create a child configuration item, the child retains a relationship to the original configuration item. Therefore, if the original configuration item is updated, any revisions are passed to the child configuration item. Additionally, if the original child item is deleted, any child configuration items are also automatically deleted.
  • Import - Import configuration data from a file. For more information, see How to How to Manage Configuration Items for Compliance Settings in Configuration Manager 2012.

  • Create a new configuration item - Use the Create Configuration Item Wizard to create the configuration item. This approach is appropriate if you want to configure all the properties or you have no existing configuration item from which you can create a duplicate or a child configuration item. Use the following steps to create a Configuration Manager 2012 Windows configuration item by using the Create Configuration Item Wizard

    noteNote
    For more information about mobile device configuration items, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager 2012.

Use the following table to view the steps that are required to create a configuration item by using the Create Configuration Item Wizard:

 

Step More Information

Step 1: Start the Create Configuration Item Wizard.

See the following procedure in this topic: Start the Create Configuration Item Wizard

Step 2: Provide general information about the configuration item.

See the following procedure in this topic:Provide General Information about the Configuration Item

Step 3: Provide detection method information for the configuration item.

A detection method contains rules that detect if an application is installed on a client device before it is assessed for compliance.

noteNote
Detection methods apply only to application configuration items (you have selected This configuration item contains application settings on the General page of the wizard).

See the following procedure in this topic: Provide Detection Method Information for the Configuration Item

Step 4: Configure settings for the configuration item.

A setting represents the business or technical conditions that will be used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer.

See the following procedure in this topic: Configure Settings for the Configuration Item

Step 5: Configure compliance rules for the configuration item.

Compliance rules specify the conditions that define the compliance of a configuration item. Some settings allow you to remediate values that are found to be noncompliant. You can create new rules or browse to an existing rule contained in any setting.

See the following procedure in this topic: Configure Compliance Rules for the Configuration Item

Step 6: Specify supported platforms for the configuration item.

Supported platforms are the operating systems on which a configuration item will be assessed for compliance.

See the following procedure in this topic: Specify Supported Platforms for the Configuration Item

Step 7: Complete the Wizard.

Complete the wizard to create the new configuration item.

Supplemental Procedures

Use the following procedures for the steps in the preceding table.

Start the Create Configuration Item Wizard

noteNote
Use the following procedure for step 1 in the preceding table.

To start the Create Configuration Item Wizard

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items.

  3. On the Home tab, in the Create group, click Create Configuration Item.

Provide General Information about the Configuration Item

noteNote
Use the following procedure for step 2 in the preceding table.

To provide general information about the configuration item

  1. On the General page of the Create Configuration Item Wizard, specify the following information:

    • Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters.

    • Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters.

  2. From the Specify type of configuration item that you want to create drop-down list, select Windows.

  3. If this configuration item will be used to assess the compliance of an application and you want to use a detection method to detect if the application is present, select This configuration item contains application settings.

  4. Click Categories to assign optional categories to the configuration item to make it easier to search for and filter in the Configuration Manager console. For more information, see How to Manage Configuration Items for Compliance Settings in Configuration Manager 2012.

Provide Detection Method Information for the Configuration Item

noteNote
Use the following procedure for step 3 in the preceding table.
noteNote
Applies only if you selected This configuration item contains application settings on the General page of the Wizard.

A detection method in Configuration Manager 2012 contains rules that are used to detect whether an application is installed on a computer. This detection occurs before the configuration item is assessed for compliance. To detect whether an application is installed, you can detect the presence of a Windows Installer file for the application, use a custom script, or select Always assume application is installed to assess the configuration item for compliance regardless of whether the application is installed.

Use these procedures to configure detection methods in Configuration Manager 2012:

To detect an application installation by using the Windows Installer File

  1. On the Detection Methods page of the Create Configuration Item Wizard, select Use Windows Installer detection.

  2. Click Open, browse to the Windows Installer (MSI) file that you want to detect, and then click Open.

  3. The Version field is automatically populated with the version number of the Windows Installer file that you selected. You can enter a new version number in this field if the displayed value is incorrect.

  4. Select This application is not installed for all users if you want detection to be performed for each user profile on the computer.

To detect an application installation using a custom script

  1. On the Detection Methods page of the Create Configuration Item Wizard, select Use a custom script to detect this application.

  2. From the drop-down list, select the language of the script you want to open. The available languages are the following:

    • VBScript

    • JScript

    • PowerShell

  3. Click Open, browse to the script you want to use, and then click Open.

Configure Settings for the Configuration Item

noteNote
Use the following procedure for step 4 in the preceding table.

Settings represent the business or technical conditions that will be used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer.

To create a setting

  1. On the Settings page of the Create Configuration Item Wizard, click New.

  2. On the General tab of the Create Setting dialog box, provide the following information:

    • Name: Enter a unique name for the setting. You can use a maximum of 256 characters.

    • Description: Enter a description for the setting. You can use a maximum of 256 characters.

    • Setting type: From the drop-down list, choose the item that you want to use as the condition for which the setting will be checked.

    • Data type: From the drop-down list, choose the format in which data will be returned by the condition before it is used assess the setting.

      noteNote
      The Data type drop-down list is not displayed for all setting types.

  3. Configure further details about this setting below the Setting type drop-down list. The items you can configure will vary depending on the setting type you have selected.

    noteNote
    When you create settings of the type File system, Registry key and Registry value, you can click Browse to configure the setting from values on a reference computer.

  4. Click OK to save the setting and close the Create Setting dialog box.

Configure Compliance Rules for the Configuration Item

noteNote
Use the following procedure for step 5 in the preceding table.

Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be evaluated for compliance, it must have at least one compliance rule. Some settings allow you to remediate values that are found to be noncompliant. You can create new rules or browse to an existing rule contained in any setting. Some settings allow you to remediate values that are found to be noncompliant. You can create new rules or browse to an existing rule contained in any setting.

To create a compliance rule

  1. On the Compliance Rules tab of the Create Configuration Item Wizard, click New.

  2. In the Create Rule dialog box, provide the following information:

    • Name: Enter a name for the compliance rule.

    • Description: Enter a description for the compliance rule.

    • Selected setting: Click Browse to open the Select Setting dialog box. Select the setting you want to define a rule for or click New Setting. When you are finished, click Select.

      noteNote
      You can also click Properties to view information about the currently selected setting.
    • Rule type: Select the type of compliance rule you want to use:

      • Value Create a rule that compares the value returned by the configuration item against a value you specify.

      • Existential Create a rule that evaluates the setting depending on whether or not it exists on a client device or on the number of times it is found.

    • Remediate noncompliant rules when supported Select this option if you want Configuration Manager 2012 to automatically remediate noncompliant rules. Configuration Manager 2012 can automatically remediate the following rule types:

      • Registry value

      • Script (by automatically running a remediation script).

      • WQL Query

    • Noncompliance severity for reports: Specify the severity level that will be reported if this compliance rule fails. The available severity levels are the following:

      • None Computers that fail this compliance rule will not report a failure severity for Configuration Manager reports.

      • Information Computers that fail this compliance rule will report a failure severity of Information for Configuration Manager reports.

      • Warning Computers that fail this compliance rule will report a failure severity of Warning for Configuration Manager reports.

      • Critical Computers that fail this compliance rule will report a failure severity of Critical for Configuration Manager reports.

      • Critical with event Computers that fail this compliance rule will report a failure severity of Critical for Configuration Manager reports. This severity level will also be logged in the as a Windows event in the application event log.

  3. Click OK to close the Create Rule dialog box.

Specify Supported Platforms for the Configuration Item

noteNote
Use the following procedure for step 6 in the preceding table.

Supported platforms are the operating systems on which a configuration item will be assessed for compliance.

To specify supported platforms for the configuration item

  1. On the Supported Platforms page of the Create Configuration Item Wizard, specify one of the following options:

    • Select the versions of Windows that will assess this configuration item for compliance: From the list, select the Windows versions on which you want the configuration item to be assessed for compliance, or click Select all.

    • Specify the version of Windows manually: Click Add to open the Specify Windows Version Manually dialog box, and then provide the full version number of the version of Windows on which you want the configuration item to be assessed for compliance.

      noteNote
      You can use the winver.exe command from a Windows command prompt to display the full Windows version.

  2. Click OK to close the Specify Windows Version Manually dialog box.

See Also