Module 12

Managing Compliance
Settings
Module Overview
• Overview of Compliance Settings
• Configuring Compliance Settings
• Viewing Compliance Results
Lesson 1: Overview of Compliance Settings
• Introduction to Compliance Settings 
• What Are Configuration Items?
• What Are Configuration Baselines?
• What Are Configuration Packs?
• The Process for Deploying Compliance Settings 
• Scenarios for Using Compliance Settings
Introduction to Compliance Settings
Compliance settings:
• Provide an interface to monitor client configuration and
remediate noncompliant settings
• Can be used for business requirements such as:
 Verifying configuration of devices
 Identifying compliance issues
 Reporting compliance for regulatory reasons
What Are Configuration Items?
Configuration items define one or more settings that you wish to
assess for compliance

In a configuration item, you can:

 Specify the compliance rule
 Define the severity levels for noncompliance
 Specify remediation, if supported

 A child configuration item is a linked copy

of a parent configuration item
 An administrator cannot edit copied settings
but can add additional settings
Configuration
Item
What Are Configuration Baselines?
A configuration baseline is a group of configuration items

Configuration baselines:

• Can contain:
 Configuration items
 Software updates
 Other configuration baselines
• Can be configured for remediation
• Are deployed to collections
• Use a default schedule for evaluations; you
can customize the schedule
Configuration
• You can deploy multiple configuration baselines Baseline
to a single collection
What Are Configuration Packs?

Configuration packs are preconfigured configuration items

or configuration baselines

You can import configuration packs from:

• Microsoft System Center Management Pack Catalog

• Existing Configuration Manager 2007 Packs

• Microsoft or third-party sources that define

best practices

• Online communities on the Internet

• Custom configuration baselines from your organization

• Another Configuration Manager site

 The Process for Deploying Compliance Settings
Configuration items
1 imported or created
Configuration
Configuration
Management Packs
Manager
Database
Configuration baseline
2 imported or created

Configuration Compliance
Baseline data stored
Compliance reports
7 are run
in database

Configuration Manager
Server

Managed Client
Compliance state
6 messages sent from
Configuration baseline the client
4 downloaded with
policy

Evaluation run on Configuration

5 3 baseline deployed
schedule
Scenarios for Using Compliance Settings
The Compliance Settings feature can help you solve
different kinds of issues such as:
• To find misconfigured systems, you can:

1. Download best practice baseline

2. Evaluate systems against best practices
3. Remediate identified issues
• To remediate noncompliance of settings, you can:

1. Configure compliance checking

2. Create configuration items for autoremediation of
settings
3. Configure applications with requirements rules and
dependencies
Lesson 2: Configuring Compliance Settings
• Configuring Client Settings to Support Compliance
• Creating Configuration Items
• Types of Configuration Item Settings
• Demonstration: Creating a Configuration Item
• Configuring Remediation
• Demonstration: Configuring Remediation on a
Configuration Item
• Creating Configuration Baselines
• Deploying Configuration Baselines
• Demonstration: Creating and Deploying a Configuration
Baseline
Configuring Client Settings to Support Compliance

• Default settings allows you to:

 Enable or disable compliance evaluation
 Configure the schedule

• Custom setting allows you only to:

 Enable or disable compliance evaluation
Creating Configuration Items

Specify a name and

description for the
Specify
Create all or specific
configuration item
compliance rules
Create settings that need
versions of supported
for the configuration
to be monitored
item
clients
Specify the type of
configuration item:
• Windows clients
• Mobile devices
Types of Configuration Item Settings
The operators in a compliance rule: Equals, Not equal to,
Greater
The
There than,
mobile
are 10 Greater
device thangroups
setting
setting types or equal
for to, Less
include:
Windows than,
configuration items:
Less than or equal to, Between, One of or None of.
Demonstration: Creating a Configuration Item
In this demonstration, you will see how to create a
configuration item
Configuring Remediation
• Remediation is only available for the following settings:

• Registry values
• Scripts
• WMI Query Language (WQL) Query configuration items
• All mobile phones

• Remediation can be in the form of:

• Create the value if it doesn’t exist

• Set the value if it exists but is not compliant
• Run a remediation script
• Set the value for the phone settings if supported

• For remediation to occur, you need to configure

remediation on both the configuration item and the
deployment
Demonstration: Configuring Remediation on a
Configuration Item
In this demonstration, you will see how to enable
remediation on a configuration item
 Creating Configuration Baselines

Create a configuration
baseline in one of the
following ways:

• Use the Create

Configuration Baseline
dialog box (most
common method)

• Import configuration
data

• Copy an existing
configuration baseline
Deploying Configuration Baselines

• Select this option to allow

configuration items with
remediation enabled to
apply the appropriate
remediation action

• Select the user or device

collection in which this
baseline will be deployed

• Use the default schedule

as in the Client Agent
settings or create a custom
schedule
Demonstration: Creating and Deploying a
Configuration Baseline
In this demonstration, you will see how to:
• Create a configuration baseline
• Deploy a configuration baseline
Lesson 3: Viewing Compliance Results
• Viewing Compliance in the Configuration Manager Client
• Viewing Compliance Results in the Configuration Manager
Console
• Compliance Settings Logs
Viewing Compliance in the Configuration
Manager Client

You can perform the

following actions on the
Configurations tab:
• Evaluate. This option
causes the selected
baseline to be evaluated
on demand
• View Report. This option
generates a report of the
selected baseline if you
have local administrator
rights
• Refresh. This option
causes the view to be
refreshed
 Viewing Compliance Results in the Configuration
Manager Console
You can use the
compliance results
reported by the client
for:
• Monitoring. View
and monitor results
in the Deployments
node
• Creating collections.
Create collections
by using the
compliance state of
configuration items
• Viewing reports.
There are several
reports for viewing
compliance results
Compliance Settings Logs
Category Term
Provides high-level information about evaluation of
dcmagent.log assigned configuration baselines and Compliance Settings
processes

dcmreporting.log Provides information about locally generated evaluation

reports

ciagent.log Provides information about downloading, storing, and

accessing assigned configuration baselines

cidownloader.log Provides information about downloading, storing, and

accessing configuration item content

cistatestore.log Provides information about the configuration items and

their state as they are used to generate evaluation results

cistore.log Provides information about the configuration item content

that is stored locally

Provides information about when state messages for

StateMessage.log software updates are created and sent to the
management point
Lab: Managing Compliance Settings
• Exercise 1: Managing Configuration Items and Baselines
• Exercise 2: Viewing Compliance Settings Reports
• Exercise 3: Configuring Remediation in Compliance
Settings
• Exercise 4: Using Compliance Information to Create
Collections
Logon information

Virtual 10747A-NYC-DC1-B 10747A-NYC-CFG-B 10747A-NYC-CL1-B

machine

User name Contoso\Administrator

Password Pa$$w0rd

Estimated time: 30 minutes

Lab Scenario
The help desk team at Contoso, Ltd regularly uses Remote
Desktop to access client computers running Windows® 7 to
repair issues. You have been asked to ensure that Remote
Desktop remains enabled on all Windows 7 computers. You
decide to use Compliance Settings to monitor the remote
desktop configuration. Additionally, the Configuration
Manager Trace Log Tool has been deployed to several
computers, and you have been asked to determine the
computers on which the Configuration Manager Trace Log
tool has been deployed.
Lab Review
• Besides presence, what values might you want to use with
a file-based configuration item?
• What was the compliance state when you ran the
evaluation for the first time?
• What was the compliance state when you ran the
evaluation for the last time?
• Was the remediation successful?
Module Review and Takeaways
• Review Questions
• Real-world Issues and Scenarios
• Best Practices