About Compliance and Compliance Information in Desired Configuration Management

Use the following information to understand the compliance information displayed in the Configuration Manager 2007 desired configuration management reports. The reports provide you with the information you need to determine why a client is non-compliant with assigned configuration baselines.

For a list of available reports, see About Reports for Desired Configuration Management.

Desired configuration management evaluates compliance on a number of different levels which consolidate to define the overall compliance of a computer. These levels include the following:

The compliance of a configuration item
The compliance of a configuration baseline rule
The compliance of each configuration baseline
The compliance of a client computer

The following sections explain how compliance is evaluated. For information about how the compliance information is sent to the site, see Compliance Sent As State Messages and Status Messages in Desired Configuration Management.

Evaluating the Compliance of a Configuration Item

When a client evaluates configuration items within an assigned configuration baseline, evaluation happens in the following order:

Applicability
Detection
Compliance of objects and settings

The results of the evaluation are reported as the configuration item's Actual Compliance, and reported as one of the values in the following table.

Actual Compliance Value	Description
Not Applicable	This value is determined by the applicability property of the configuration item (for example, an exact Microsoft Windows platform version). If the configuration item is not applicable to the client computer, detection is not evaluated, and the objects and settings in the configuration item are not evaluated.
Not Detected	This value is determined by the detection method configured for an application configuration item or the Windows version configured for an operating system configuration item. If a configuration item is configured for detection and the configuration item is evaluated as not detected on a client computer, evaluation stops and the objects and settings in the configuration item are not evaluated.
Compliant or Non-Compliant	This value is determined by the object and settings properties and their configured valuation criteria, and the non-compliance severity level if the configured object or setting or does not exist on a client computer. If the configuration item is applicable and detected, the configuration item is evaluated for compliance with its objects and settings, using the valuation criteria defined for them. The compliance for the configuration reports Compliant or Non-Compliant, as determined by the compliance evaluation.
Failed	This situation could arise as a result of invalid Service Modeling Language (SML) specified in the configuration item. For more information about SML and its use in desired configuration management, see About Authoring Configuration Data for Desired Configuration Management.

For detailed information about how each configuration item is evaluated, see How Each Configuration Item is Evaluated for Compliance in Desired Configuration Management.

Evaluating the Compliance of a Configuration Baseline Rule

After a configuration item is evaluated for compliance, its Actual Compliance is then evaluated against the configuration baseline rule to which it is applied. The result of this evaluation determines the compliance of the configuration baseline rule.

The configuration baseline rules are as follows:

One of the following operating system configuration items must be present and properly configured.
These applications and general configuration items are required and must be properly configured.
If these optional application configuration items are detected, they must be properly configured.
These software updates must be present.
These application configuration items must not be present.
These configuration baselines must also be validated.

These configuration baseline rules are displayed in the reports as the Required Compliance.

The following table lists the Required Compliance for each configuration baseline rule.

Configuration Baseline Rule	Required Compliance
One of the following operating system configuration items must be present and properly configured.	One of many
These applications and general configuration items are required and must be properly configured.	Required
If these optional application configuration items are detected, they must be properly configured.	Optional
These software updates must be present.	Required
These application configuration items must not be present.	Prohibited
These configuration baselines must also be validated.	Required

The Actual Compliance value (Not Applicable, Detected, Compliant or Non-Compliant) is compared with the Required Compliance of the configuration baseline rule. The results of this comparison determine whether the configuration baseline rule is compliant, or non-compliant:

If the Actual Compliance aligns to the Required Compliance, the configuration item is compliant with its configuration baseline rule.
If the Actual Compliance conflicts with the required compliance, the configuration item is non-compliant with its configuration baseline rule.

The following table shows how the configuration item’s Actual Compliance aligns or conflicts with the Required Compliance of each configuration baseline rule, which determines the compliance of the configuration baseline rule.

Configuration Baseline Rule	Required Compliance	Actual Compliance values that results in the configuration baseline rule being Compliant	Actual Compliance values that results in the configuration baseline rule being Non-compliant
One of the following operating system configuration items must be present and properly configured.	One of Many	Compliant	Not Detected (if no operating systems items are detected) Non-Compliant (if any one operating system item is non-compliant)
These applications and general configuration items are required and must be properly configured.	Required	Not Applicable Compliant	Non-Compliant
If these optional application configuration items are detected, they must be properly configured.	Optional	Not Applicable Not Detected Compliant	Non-compliant
These software updates must be present.	Required	Not Applicable Compliant	Not Detected
These application configuration items must not be present.	Prohibited	Not Applicable Not Detected	Compliant Non-Compliant
These configuration baselines must also be validated.	Required	Compliant	Non-compliant

Evaluating the Compliance of Each Configuration Baseline

For each configuration baseline assigned to a client computer, the compliance status has one of the values in the following table.

Configuration Baseline Compliance Status	Description
Unknown	There is no compliance information reported from the client. This situation could arise as a result of any of the following circumstances: The client computer has not yet received the configuration baseline in its machine policy. The client computer has received the configuration baseline but has not completed its evaluation. The client computer cannot contact its management point when it is due to send its first compliance evaluation report.
Failed	Compliance evaluation failed. This situation could arise as a result of invalid Service Modeling Language (SML) specified in the configuration data. For more information about SML and its use in desired configuration management, see About Authoring Configuration Data for Desired Configuration Management.
Compliant	If all configuration baseline rules evaluate as compliant, the configuration baseline itself will be compliant.
Non-Compliant	One or more configuration baseline rules evaluate as non-compliant (for example, a required application is not detected).

Evaluating the Compliance of a Client Computer

The overall compliance of a client computer depends on the compliance results of all the configuration baselines assigned to it. The possible compliance values for a client computer are the same compliance values as those used for a single configuration baseline. However, the compliance of all configuration baselines is aggregated.

For example, the client is compliant only if all configuration baselines evaluation as compliant. If a single configuration baseline from the total configuration baselines assigned to the client is non-compliant, the overall compliance of the client evaluates as non-compliant.

Evaluating the Compliance of a Configuration Item

Evaluating the Compliance of a Configuration Baseline Rule

Evaluating the Compliance of Each Configuration Baseline

Evaluating the Compliance of a Client Computer

See Also

Tasks

Concepts