Use the following information to understand the compliance information displayed in the Configuration Manager 2007 desired configuration management reports. The reports provide you with the information you need to determine why a client is non-compliant with assigned configuration baselines.
For a list of available reports, see About Reports for Desired Configuration Management.
Desired configuration management evaluates compliance on a number of different levels which consolidate to define the overall compliance of a computer. These levels include the following:
- The compliance of a
configuration item
- The compliance of a
configuration baseline rule
- The compliance of
each configuration baseline
- The compliance of a client
computer
The following sections explain how compliance is evaluated. For information about how the compliance information is sent to the site, see Compliance Sent As State Messages and Status Messages in Desired Configuration Management.
Evaluating the Compliance of a Configuration Item
When a client evaluates configuration items within an assigned configuration baseline, evaluation happens in the following order:
- Applicability
- Detection
- Compliance of objects and settings
The results of the evaluation are reported as the configuration item's Actual Compliance, and reported as one of the values in the following table.
Actual Compliance Value | Description |
---|---|
Not Applicable |
This value is determined by the applicability property of the configuration item (for example, an exact Microsoft Windows platform version). If the configuration item is not applicable to the client computer, detection is not evaluated, and the objects and settings in the configuration item are not evaluated. |
Not Detected |
This value is determined by the detection method configured for an application configuration item or the Windows version configured for an operating system configuration item. If a configuration item is configured for detection and the configuration item is evaluated as not detected on a client computer, evaluation stops and the objects and settings in the configuration item are not evaluated. |
Compliant or Non-Compliant |
This value is determined by the object and settings properties and their configured valuation criteria, and the non-compliance severity level if the configured object or setting or does not exist on a client computer. If the configuration item is applicable and detected, the configuration item is evaluated for compliance with its objects and settings, using the valuation criteria defined for them. The compliance for the configuration reports Compliant or Non-Compliant, as determined by the compliance evaluation. |
Failed |
This situation could arise as a result of invalid Service Modeling Language (SML) specified in the configuration item. For more information about SML and its use in desired configuration management, see About Authoring Configuration Data for Desired Configuration Management. |
For detailed information about how each configuration item is evaluated, see How Each Configuration Item is Evaluated for Compliance in Desired Configuration Management.
Evaluating the Compliance of a Configuration Baseline Rule
After a configuration item is evaluated for compliance, its Actual Compliance is then evaluated against the configuration baseline rule to which it is applied. The result of this evaluation determines the compliance of the configuration baseline rule.
The configuration baseline rules are as follows:
- One of the following operating system
configuration items must be present and properly
configured.
- These applications and general
configuration items are required and must be properly
configured.
- If these optional application
configuration items are detected, they must be properly
configured.
- These software updates must be
present.
- These application configuration items must
not be present.
- These configuration baselines must also be
validated.
These configuration baseline rules are displayed in the reports as the Required Compliance.
The following table lists the Required Compliance for each configuration baseline rule.
Configuration Baseline Rule | Required Compliance |
---|---|
One of the following operating system configuration items must be present and properly configured. |
One of many |
These applications and general configuration items are required and must be properly configured. |
Required |
If these optional application configuration items are detected, they must be properly configured. |
Optional |
These software updates must be present. |
Required |
These application configuration items must not be present. |
Prohibited |
These configuration baselines must also be validated. |
Required |
The Actual Compliance value (Not Applicable, Detected, Compliant or Non-Compliant) is compared with the Required Compliance of the configuration baseline rule. The results of this comparison determine whether the configuration baseline rule is compliant, or non-compliant:
- If the Actual Compliance aligns to the
Required Compliance, the configuration item is compliant with its
configuration baseline rule.
- If the Actual Compliance conflicts with the
required compliance, the configuration item is non-compliant with
its configuration baseline rule.
The following table shows how the configuration item’s Actual Compliance aligns or conflicts with the Required Compliance of each configuration baseline rule, which determines the compliance of the configuration baseline rule.
Configuration Baseline Rule | Required Compliance | Actual Compliance values that results in the configuration baseline rule being Compliant | Actual Compliance values that results in the configuration baseline rule being Non-compliant |
---|---|---|---|
One of the following operating system configuration items must be present and properly configured. |
One of Many |
|
|
These applications and general configuration items are required and must be properly configured. |
Required |
|
|
If these optional application configuration items are detected, they must be properly configured. |
Optional |
|
|
These software updates must be present. |
Required |
|
|
These application configuration items must not be present. |
Prohibited |
|
|
These configuration baselines must also be validated. |
Required |
|
|
Evaluating the Compliance of Each Configuration Baseline
For each configuration baseline assigned to a client computer, the compliance status has one of the values in the following table.
Configuration Baseline Compliance Status | Description |
---|---|
Unknown |
There is no compliance information reported from the client. This situation could arise as a result of any of the following circumstances:
|
Failed |
Compliance evaluation failed. This situation could arise as a result of invalid Service Modeling Language (SML) specified in the configuration data. For more information about SML and its use in desired configuration management, see About Authoring Configuration Data for Desired Configuration Management. |
Compliant |
If all configuration baseline rules evaluate as compliant, the configuration baseline itself will be compliant. |
Non-Compliant |
One or more configuration baseline rules evaluate as non-compliant (for example, a required application is not detected). |
Evaluating the Compliance of a Client Computer
The overall compliance of a client computer depends on the compliance results of all the configuration baselines assigned to it. The possible compliance values for a client computer are the same compliance values as those used for a single configuration baseline. However, the compliance of all configuration baselines is aggregated.
For example, the client is compliant only if all configuration baselines evaluation as compliant. If a single configuration baseline from the total configuration baselines assigned to the client is non-compliant, the overall compliance of the client evaluates as non-compliant.
See Also
Tasks
How to Identify SML Compliance Evaluation Problems in Desired Configuration ManagementConcepts
About Authoring Configuration Data for Desired Configuration ManagementAbout Configuration Baselines in Desired Configuration Management
About Configuration Items in Desired Configuration Management
How Each Configuration Item is Evaluated for Compliance in Desired Configuration Management
Compliance Sent As State Messages and Status Messages in Desired Configuration Management
About the Non-Compliance Severity Level in Desired Configuration Management
About Reports for Desired Configuration Management
About Validation Criteria in Desired Configuration Management
Example Compliance Evaluation for a Desired Configuration Management Application Item