Compliance settings in System Center 2012 Configuration Manager provides a unified interface and user experience that lets you manage the configuration and compliance of servers, laptops, desktop computers, and mobile devices in your organization. Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates, security settings, and mobile devices. Configuration item settings of the type Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found.
Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must have. You can import this configuration data from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices that are defined by Microsoft and other vendors, in Configuration Manager, and that you then import into Configuration Manager. Or, an administrative user can create new configuration items and configuration baselines.
After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them. This provides the administrator with a high level of control.
Client devices evaluate their compliance against each deployed configuration baseline and immediately report the results to the site by using state messages and status messages. If a client device is currently not connected to the network, but has downloaded the configuration items that are referenced in a deployed configuration baseline, the configuration baseline is evaluated for compliance. The compliance information is sent on reconnection. You can also view compliance evaluation results from clients that are running Windows by using the Configurations tab in Configuration Manager in Control Panel.
You can monitor the results of the configuration baseline evaluation compliance from the Deployments node in the Monitoring workspace in the Configuration Manager console to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can also run compliance settings reports to find additional details, such as which devices are compliant or noncompliant, and which element of the configuration baseline is causing a computer to be noncompliant. You can also view compliance evaluation results from Windows clients by using the Configurations tab in Configuration Manager in Control Panel.
You can use compliance settings to support the following business requirements:
- Compare the configuration of desktop
computers, laptops, servers, and mobile devices in your enterprise
against best practices configurations from Microsoft and other
- Verify the configuration of provisioned
devices against one or more custom-defined configuration baselines
before the computers go into production.
- Identify device configurations that are not
authorized by change control procedures.
- Prioritize noncompliance with five levels of
severity (None, Information, Warning, Critical, and Critical with
- Report compliance with regulatory policies
and in-house security policies.
- Identify security vulnerabilities, as defined
by Microsoft and other software vendors, across your
- Provide the help desk with the information to
detect probable causes of reported incidents and problems by
identifying noncompliant configurations.
- Automatically remediate noncompliant settings
for WMI, the registry, scripts, and all settings for the mobile
devices that are enrolled by Configuration Manager.
- Remediate noncompliance by deploying
applications, packages and programs, or scripts to a collection
that is automatically populated with computers that report that
they are out of compliance.
- Integrate with other management products that
monitor Windows events on computers to take automatic action when a
configuration is reported as noncompliant.
For an example scenario that shows how you might use compliance settings in your environment, see Example Scenario for Compliance Settings in Configuration Manager.
User Data and Profiles Configuration Items
For Configuration Manager SP1 only:
User data and profiles configuration items contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy them to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console. Unlike other configuration items, you do not add these to configuration baselines before you deploy them. You can deploy them directly with the Deploy User Data and Profiles Configuration Item dialog box.
For more information, see the topic How to Create User Data and Profiles Configuration Items in Configuration Manager.