Compliance Information Missing in Desired Configuration Management

Compliance Information Missing in D...

Topic last updated—November 2007

This section provides troubleshooting information to help you resolve issues with compliance information missing from the desired configuration management reports in Configuration Manager 2007.

Missing Compliance Information Because Clients Do Not Have the Microsoft .NET Framework Installed

When you are missing compliance information from a computer, check that the client has Microsoft .NET Framework 2.0 or later installed. This is a prerequisite for desired configuration management in Configuration Manager 2007. If this prerequisite is missing, you will see the following symptoms:

On the client's Configurations tab, the name of the configuration baseline displays Unknown:ScopeId_<number>, the Last Evaluation value displays N/A, the Compliance State displays Unknown, and clicking View Report displays a message that the report is either empty or not valid. Additionally, the client DCMAgent.log file contains the reference SetupForDiscovery : .Net not installed.
On the server reports for desired configuration management, compliance results for the client will be missing from many reports. However, the report Computers with compliance evaluation failures lists computers that do not have Microsoft .NET Framework 2.0 or later installed. From this report, select a computer and drill down to the report All compliance evaluation failures for a specified computer, which displays Cannot further process the baseline CI. Managed client does not have the .Net Framework version 2.0 installed.

Computers that do not meet this prerequisite can also be identified with the status message ID of 11802. For more information, see How to Identify Computers that Do Not Have the .NET Framework v2.0 for Desired Configuration Management.

Solution

The Microsoft .NET Framework version 2.0 or later is available to download through Windows Update. Alternatively, you can download it from the Web (http://go.microsoft.com/fwlink/?LinkID=56407) and install it through software distribution or other deployment mechanisms.

The Configuration Baseline Has Not Yet Been Evaluated and Reports "Unknown"

If a computer has never reported compliance for an assigned configuration baseline and a value of Unknown is displayed in reports, it is likely that the client has not yet evaluated its compliance.

Computers that are assigned configuration baselines download them with their machine policy but do not evaluate their compliance until the scheduled time configured in the configuration baseline assignment. For more information about configuring the configuration baseline assignment schedule, see How to Assign Configuration Baselines in Desired Configuration Management.

Until computers have downloaded their assigned configuration baselines and completed the first evaluation, compliance information for these configuration baselines will display Unknown in the desired configuration management reports, and in Configuration Manager in the client's Control Panel.

Solution

Either wait until computers have downloaded their machine policy and the scheduled time or manually initiate evaluation on the client.

To manually initiate evaluation on the client, use the following procedure.

To initiate evaluation of an assigned configuration baseline

On the client computer, navigate to Configuration Manager in the Control Panel of the client computer, and double-click to open its properties.

Click the Configurations tab, and then view the list of assigned configuration baselines.

Note
If no configuration baselines are displayed but configuration baselines are assigned to this computer, it is probable that the configuration baseline assignments are not yet downloaded. To accelerate this process, click the Actions tab, click Machine Policy Retrieval & Evaluation Cycle, and click Initiate Action. Click OK in the Machine Policy Retrieval & Evaluation Cycle dialog box. When this has completed, clicking Refresh on the Configurations tab should then display the downloaded configuration baselines.

Note

If no configuration baselines are displayed but configuration baselines are assigned to this computer, it is probable that the configuration baseline assignments are not yet downloaded. To accelerate this process, click the Actions tab, click Machine Policy Retrieval & Evaluation Cycle, and click Initiate Action. Click OK in the Machine Policy Retrieval & Evaluation Cycle dialog box. When this has completed, clicking Refresh on the Configurations tab should then display the downloaded configuration baselines.

For any configuration baselines that display Unknown in the Compliance State column, select the configuration baseline and click Evaluate. This runs the compliance evaluation outside the configured schedule, and you will see the Compliance State display change to In Progress and then report either Compliant or Non-Compliant.
Click OK to close Configuration Manager.

Client Evaluation Time Does Not Match the Configuration Baseline Assignment Evaluation Schedule

The Last Evaluation value displayed in the client Configurations tab does not exactly match the configuration baseline assignment schedule but is within a two-hour window.

Solution

This is by design. The evaluation schedule initiates a compliance evaluation that starts randomly within the next two hours. This random initiation ensures that the management point is not saturated with compliance results from multiple clients at the same time.

For more information, see About Compliance Evaluation Schedules in Desired Configuration Management.

Compliance Information in Reports and the Home Page Lags behind Compliance Information in the Client Configurations Tab

The compliance information displayed in the client Configurations tab can be more up-to-date than the compliance information in the desired configuration management reports and displayed in the desired configuration management home page.

Solution

Desired configuration management does not display real-time compliance results in the desired configuration management reports and the desired configuration management home page. There is some latency between the evaluation on the client and the site receiving these results. For more information, see Compliance Sent As State Messages and Status Messages in Desired Configuration Management and About Latency in the Configuration Manager Console.

Either wait until the site compliance information is up-to-date or, when you must have the most recent compliance information, use the client Configurations tab. For more information, see the procedure "To view the compliance of a computer using Configuration Manager on the client computer" in How to View Compliance of a Single Computer.

The Client Reports "Unknown" Compliance for a Modified Configuration Baseline and the Configuration Baseline Name Shows "Unknown:<CI Unique ID>"

If a computer has reported compliance with an assigned configuration baseline and modifications were made to that configuration baseline, the client detects the change when it next downloads its machine policy.

In this scenario, the client no longer knows its compliance state and so reports Unknown for its compliance until the modified configuration baseline is evaluated. Additionally, the configuration baseline name will also display Unknown:<Unique CI ID value>, because the new version of the configuration baseline might include a new display name but will not be downloaded until the evaluation process is initiated.

Solution

Either wait until the scheduled time or manually initiate evaluation on the client.

To manually initiate evaluation on the client, use the following procedure.

To initiate evaluation of an assigned configuration baseline

On the client computer, navigate to Configuration Manager in the Control Panel of the client computer and double-click to open its properties.
Click the Configurations tab and view the list of assigned configuration baselines.
Select the configuration baseline that displays Unknown, and then click Evaluate. This runs the compliance evaluation outside the configured schedule, and you will see the Compliance State display change to In Progress and then report either Compliant or Non-Compliant. Alternatively, it might display Error, in which case check the SmsClient source in the Windows Application event log for more information.
Click OK to close Configuration Manager.

The Client Does Not Update Compliance State If Evaluation Is Initiated Too Soon After the Last Evaluation

If a computer has evaluated compliance with an assigned configuration baseline, the results are cached on the client for 15 minutes.

If the configuration baseline has not changed but something that affects compliance on the client has changed, and you manually initiate reevaluation on the client within 15 minutes, the client will continue to display the same compliance state.

Solution

Wait until 15 minutes have elapsed before reevaluating compliance with an assigned configuration baseline. This 15-minute time-to-live value is not configurable.

However, the time-to-live value is automatically reset if the client downloads a configuration baseline assignment that contains a new or modified configuration baseline.

Configuration Baseline Evaluation Enters Retry State on Client Computers

In some scenarios, evaluation of a configuration baseline might be delayed if the configuration baseline assignment reaches the client computer before the configuration baseline reaches the Configuration Manager 2007 server. This could be due to one or more of the following reasons:

The management point experiences communication problems.
Network connection problems prevent the configuration baseline from reaching the Configuration Manager 2007 server.
If a configuration baseline is created and immediately assigned to a collection, . the assignment can reach the client before the configuration baseline reaches the Configuration Manager 2007 server.

When this situation occurs, the configuration baseline evaluation enters a retry state and waits for 6 hours before retrying. During this time, no other configuration baselines will be evaluated by the client computer.

Solution

When the desired configuration management client agent encounters this scenario, there is no solution except to resolve any communication failures and wait for the retry.

The Client Reports "Unknown" If the Desired Configuration Management Agent is Re-enabled

The client can report Unknown for its compliance state if the following scenario occurred:

The desired configuration management agent was enabled and clients downloaded and evaluated assigned configuration baselines.
The desired configuration management agent was disabled and clients downloaded their machine policy, which instructed them to no longer evaluate compliance.
The desired configuration management agent was reenabled and clients downloaded their machine policy.

In this scenario, even if the assigned configuration baselines have not changed, clients will display Unknown for their compliance state until they have reevaluated compliance with their assigned configuration baselines.

Solution

Either wait until the scheduled time in the assigned configuration baseline or manually initiate reevaluation on the client.

To manually initiate reevaluation on the client, use the following procedure.

To initiate reevaluation of an assigned configuration baseline

On the client computer, navigate Configuration Manager in the Control Panel of the client computer, and double-click to open its properties.
Click the Configurations tab, and then view the list of assigned configuration baselines.
Select the configuration baseline that displays Unknown, and then click Evaluate. This runs the compliance evaluation outside the configured schedule, and you will see the Compliance State display change to In Progress and then report either Compliant or Non-Compliant.
Click OK to close Configuration Manager.

Compliance Results Are Not Sent to the Site for a Long Time and the Client Continues to Display "In Progress"

An assigned configuration baseline might take a long time to complete evaluation for valid reasons, such as if it is checking for compliance using script-based settings or if it is detecting files that used wildcards in the path. However, there are other scenarios in which compliance valuation might be misconfigured in a configuration item and, therefore, will never complete.

To safeguard against the scenario of misconfigured configuration items running continuously, Configuration Manager 2007 clients will time out an evaluation after 6 hours. This value is not configurable.

Solution

Wait until the 6 hours timeout has elapsed, and then investigate the configuration items that did not return compliance information to see whether they can be reconfigured to work more efficiently, or if they need to be reconfigured to correct a misconfiguration.

Use the following desired configuration management report to identify evaluation failures: Compliance evaluation errors for a configuration item on a computer.

Some Report Fields Are Blank for Configuration Items

Some imported configuration items might result in the following fields appearing blank in reports:

Setting or Object Name
Setting or Object Type
Setting or Object Description
Instance Data
Current Value

Solution

This is by design for configuration items that have been imported and for which Configuration Manager cannot interpret all or some of the configuration item contents. In this scenario, Configuration Manager displays as much as can be interpreted and leaves blank the fields that cannot be interpreted.

If you have a good knowledge of the underlying Service Modeling Language (SML) used to define the uninterpreted configuration item, you can right-click the configuration item in the Configuration Items node, and then click View Xml Definition.

For more information about SML, see About Authoring Configuration Data for Desired Configuration Management.

For more information about uninterpreted configuration items, see About Configuration Items in Desired Configuration Management.

Compliance Information Missing Because of the Non-Compliance Severity Level Filter

If you filter compliance information in reports (or displayed in the desired configuration management home page), some configuration baselines might not be displayed that you expect.

In particular, configuration baselines that experience an evaluation failure because the data could not be found (discovery error) will report a non-compliance severity level of Warning. All configuration baselines that have an evaluation failure because of an infrastructure failure will report a non-compliance severity level of Information.

Solution

Make sure that you check compliance results for all levels of non-compliance severity, even if you did not specify them when defining the configuration item.

For more information, see How to Use the Non-Compliance Severity Level.

Concepts

About Compliance and Compliance Information in Desired Configuration Management
Prerequisites for Desired Configuration Management

Did you find this information useful? Please click the following link to send your suggestions and comments about the documentation to the Configuration Manager Doc Feedback alias: SMSdocs@microsoft.com.