Export (0) Print
Expand All

Unexpected Compliance Results in Desired Configuration Management

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

This section provides troubleshooting information to help you resolve unexpected compliance results when using Configuration Manager 2007 desired configuration management.

The following tables display the compliance evaluation results of some known error conditions in Configuration Manager 2007, some of which return a discovery error that is displayed in the desired configuration management reports with the category of Compliance Evaluation Errors.

For more information about these reports, see About Reports for Desired Configuration Management.

noteNote
When a configuration item is evaluated and returns a discovery error, evaluation stops and other instances, objects, and settings within the same configuration item are not evaluated for compliance. However, the instance count (the Report a non-compliance event when this instance count fails option) for the setting is still evaluated.

 

Key:

√ = Discovery error

Ø = No discovery error (returns non-compliant if the following option is enabled: Report a non-compliance event when this instance count fails).

 

SQL Query Setting Discovery Error

Instance of SQL not found—If Use default instance or Instancename is configured

Instance of SQL not found—If All instances is configured

Ø

No SQL Server installed

Invalid SQL query

SQL Server installed but disabled

SQL query returned no value

Ø

SQL database not found

Access Denied on SQL Server Instance

Ø

Access Denied on SQL database

Ø

A non-read query (UPDATE, DELETE, DROP, CREATE)

SQL Server Access Denied

Ø

 

File or Folder Setting Discovery Error

Invalid file path

Driver for file does not exist

File Access Denied (System)

Ø

Access Denied on one or more files or folders in a wildcard setting

Ø

File does not exist

Ø

 

Script Setting Discovery Error

Script errors (divide zero)

√ (but does not apply to JScript)

No software installed or version not matched

Invalid script syntax

√ (although dependent on script host)

PowerShell Access Denied

Ø

Script contains UI that blocks execution

√ (after 6-hour time-out period expires)

Script hit infinite loop

√ (after 6-hour time-out period expires)

 

IIS Metabase Setting Discovery Error

Query with invalid path

IIS not installed

Query with non-existent intermediate path

Ø

IIS installed but disabled

IIS service will be started

IIS installed but metabase is not installed

Ø

Metabase Access Denied

Ø

 

XML Query Setting Discovery Error

File not found

Ø

File doesn’t contain XML data

File is in use

File returned Access Denied

Ø

File is encrypted

Ø

 

Registry Setting Discovery Error

Non existing registry hive

Invalid registry path

Ø

Registry setting that returns no value

Ø

 

WMI Setting Discovery Error

WQL query on nonexisting class

WQL query with invalid namespace

WQL query with invalid syntax (class or filter)

Designated value does not exist in the specified class

Ø

Value is an object rather than a standard data type

Ø

Value is a reference

Ø

WMI is disabled

Succeed (service is restarted)

 

Active Directory Domain Services Setting Discovery Error

Specified path and the first level of subfolders or Specified path and all subfolders

Invalid distinguished name (DN)

Active Directory is not present (nonexisting server)

Access Denied

Ø

Invalid Active Directory LDAP attribute

Ø

A configuration item that evaluates the compliance of Windows security permissions on registry key objects, and on file or folder objects, results in an evaluation failure (discovery error) rather than non-compliance if the specified user account does not exist.

Solution

Specify only valid user accounts for Windows security permissions.

A configuration item that evaluates the compliance of a file or folder object by using SHA1-Hash validation results in an evaluation failure (discovery error) when the file is open for write access by another application.

Solution

None.

When you import configuration items into Configuration Manager 2007, multiple content versions can be stored and evaluated by clients. However, desired configuration management reports can display compliance with a single version only. When there is a difference in compliance results on the same client between one content version and another, this can lead to inconsistent compliance results in the reports, which will display the results from the last evaluated content version.

For more information about content versions, see About Content Versions in Desired Configuration Management.

Solution

This is a known limitation. Use the client report to determine the content version used in the compliance evaluation of a configuration item. As a best practice, avoid this situation by ensuring that the content version on externally authored configuration items is always incremented whenever the configuration item is modified.

On computers running Windows Vista, file or folder object discovery might return multiple copies of the same file when Name pattern search depth is set to Specified path and all subfolders on the General tab of the New File or Folder Properties dialog box.

Computers running Windows Vista utilize User Account Control (UAC) to ask users for permission before performing actions that change system settings such as registry values or system files. If a program is installed that is not UAC-compliant and therefore cannot write to the computer's file system, Windows Vista creates a virtualized copy of the file that is changed within the user's profile. This means that multiple, virtualized copies of files might exist on a computer running Windows Vista that are then discovered by desired configuration management compliance evaluations.

Solution

Consider specifying a different value for Name pattern search depth to more closely specify the location of the file to evaluate for compliance.

When exclusive file permissions are used in a configuration item object, desired configuration management checks that one set of the specified permissions are applied to the file. However, it is possible that the file inherits a second set of permissions that might be identical to the specified permissions. In this scenario, desired configuration management reports a non-compliant state for the configuration item.

Solution

If the file inherits a second set of identical permissions, delete the instance permissions on the file so that only the inherited permissions remain.

When a configuration item with an Internet Information Services (IIS) setting is evaluated on a computer running Windows Server 2008, a discovery error might be generated in the log file Discovery.log and evaluation might fail.

Solution

To evaluate configuration items with IIS settings on computers running Windows Server 2008, you must install IIS 6.0 Management Compatibility for Internet Information Services 7.0 on the computer running Windows Server 2008.

When configuration item settings and objects use the Version data type, they might always evaluate as compliant, despite the version value returned from the client computer being non-compliant. This happens when the value returned from the client computer is a single-digit version number. Desired configuration management expects the version value returned from client computers to be in the format of major version.minor version—for example, 1.2.

Solution

There is currently no solution or workaround for this issue.

When a configuration item is modified that is being referenced by a configuration baseline assigned to clients, the Actual Compliance value displayed in the report for those configuration baselines will continue to display the results from when the configuration baseline was last evaluated.

In this scenario, the report "Compliance details for a configuration baseline" might display the modified version of the configuration baseline, even though it has not yet been evaluated for compliance. The report will correctly display the configuration items that were used for the last evaluation (prior to modification).

Solution

Wait for the configuration baseline to be re-evaluated to display compliance results for the modified configuration items.

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft