Export (0) Print
Expand All

How to Create Windows Configuration Items for Compliance Settings in Configuration Manager

Updated: November 3, 2014

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager

Create configuration items in System Center 2012 Configuration Manager to define configurations that you want to manage and assess for compliance on devices.

There are different types of configuration items:

  • Application configuration item

    Used to determine compliance for an application. This can include whether the application is installed and details about its configuration.

  • Operating system configuration item

    Used to determine compliance for settings that relate to the operating system and its configuration.

  • Software updates configuration item

    Automatically created when you download software updates with Configuration Manager.

    You do not create or see these configuration items in the Compliance Settings node, but you can select them when you define configuration baselines.

  • General configuration item

    Used to determine compliance for mobile devices.

    For more information about creating configuration items for mobile devices, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

Use one the following four different methods to create a configuration item in the Configuration Manager console.

 

Method Description More information

Create a new configuration item

Use the Create Configuration Item Wizard to create the configuration item.

Use this method to create a configuration item when you want to configure all properties, or you have no existing configuration item from which you can create a duplicate or a child configuration item.

For more information about how to create a configuration item by using the wizard, see the steps and supplemental procedures in this topic.

noteNote
For more information about how to create mobile device configuration items, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

Create a child configuration item

Create a child configuration item from the Configuration Items node.

Use this method to create a configuration item when you want a configuration item that continues to inherit the properties of an existing configuration item, but refines them with more detailed configuration.

You cannot create child configuration items for mobile devices.

For more information about how to create a child configuration item, see How to Create Child Configuration Items in Configuration Manager.

Import

Import configuration data from a file.

Use this method to create configuration items when they have been defined outside the Configuration Manager hierarchy. For example, you created them in a test environment and now want to use them on the production network, or you want to import best practices from a Configuration Pack that vendors provided.

For more information, see How to Import Configuration Data in Configuration Manager.

Duplicate

Create a duplicate configuration item from the Configuration Items node.

Use this method to create a configuration item when you want an exact copy of an existing configuration item to use as your starting point, but you want to modify it to create an independent configuration item from the original.

To create a duplicate of a configuration item, select a configuration item in the Configuration Items node and then, on the Home tab, in the Configuration Item group, click Copy.

ImportantImportant
When you create a duplicate configuration baseline or configuration item, the duplicate does not retain a relationship to the original configuration data. Therefore, if the original configuration data is upgraded, any revisions are not passed to the duplicate configuration baseline or configuration item.

WarningWarning
Do not configure configuration items with identical settings that evaluate different values and assign them to the same devices. When devices evaluate configuration items that have conflicting values, the order in which they are evaluated is nondeterministic.

Use the following steps and the supplemental procedures for when you want to create a new configuration item for Windows-based computers.

Use the following required steps to create a configuration item by using the Create Configuration Item Wizard.

 

Step Details More information

Step 1: Start the Create Configuration Item Wizard.

Start the wizard in the Assets and Compliance workspace in the Compliance Settings node.

See the Step 1: Start the Create Configuration Item Wizard section in this topic

Step 2: Provide general information about the configuration item.

Specify a Windows configuration item and a detection method if this configuration item assesses the compliance of an application.

See Step 2: Provide General Information about the Configuration Item.

Step 3: Provide detection method information for the configuration item.

A detection method contains rules that detect whether an application is installed on a client device before it is assessed for compliance.

noteNote
Detection methods apply only to application configuration items (you have selected This configuration item contains application settings on the General page of the wizard).

See the Step 3: Provide Detection Method Information for the Configuration Item section in this topic.

Step 4: Configure settings for the configuration item.

A setting represents the business or technical conditions to be used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer.

See the Step 4: Configure Settings for the Configuration Item section in this topic.

Step 5: Configure compliance rules for the configuration item.

Compliance rules specify the conditions that define the compliance of a configuration item. Some settings let you remediate values that are found to be noncompliant. You can also create new rules by browsing to existing settings in any configuration item and creating rules against them.

See the Step 5: Configure Compliance Rules for the Configuration Item section in this topic.

Step 6: Specify supported platforms for the configuration item.

Supported platforms are the operating systems on which a configuration item is assessed for compliance.

See the Step 6: Specify Supported Platforms for the Configuration Item section in this topic.

Step 7: Complete the wizard.

Complete the wizard to create the new configuration item.

No additional information.

Use the following information when the steps in the preceding table require supplemental procedures.

Use this procedure to start the Create Configuration Item Wizard.

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items.

  3. On the Home tab, in the Create group, click Create Configuration Item.

Use this procedure to provide general information about the configuration item.

  1. On the General page of the Create Configuration Item Wizard, specify the following information:

    • Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters.

    • Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters.

  2. In the Specify type of configuration item that you want to create list, select Windows.

    noteNote
    If you want to create a configuration item for a mobile device, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

  3. If this configuration item is used to assess the compliance of an application, and you want to use a detection method to detect whether the application is present, select This configuration item contains application settings.

Use this procedure to provide detection method information for the configuration item.

noteNote
Applies only if you selected This configuration item contains application settings on the General page of the wizard.

A detection method in Configuration Manager contains rules that are used to detect whether an application is installed on a computer. This detection occurs before the configuration item is assessed for compliance. To detect whether an application is installed, you can detect the presence of a Windows Installer file for the application, use a custom script, or select Always assume application is installed to assess the configuration item for compliance regardless of whether the application is installed.

Use these procedures to configure detection methods in System Center 2012 Configuration Manager.

  1. On the Detection Methods page of the Create Configuration Item Wizard, select the Use Windows Installer detection check box.

  2. Click Open, browse to the Windows Installer (.msi) file that you want to detect, and then click Open.

  3. The Version box is automatically populated with the version number of the Windows Installer file that you selected. You can enter a new version number in this box if the displayed value is incorrect.

  4. Select the This application is installed for one or more users check box if you want to detect each user profile on the computer.

  1. On the Detection Methods page of the Create Configuration Item Wizard, select the Use a custom script to detect this application check box.

  2. In the list, select the language of the script you want to open. Choose from the following scripts:

    • VBScript

    • JScript

    • PowerShell

  3. Click Open, browse to the script that you want to use, and then click Open.

Use this procedure to configure the settings in the configuration item.

Settings represent the business or technical conditions that are used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer.

  1. On the Settings page of the Create Configuration Item Wizard, click New.

  2. On the General tab of the Create Setting dialog box, provide the following information:

    • Name: Enter a unique name for the setting. You can use a maximum of 256 characters.

    • Description: Enter a description for the setting. You can use a maximum of 256 characters.

    • Setting type: In the list, choose one of the following setting types to use for this setting:

       

      Setting type More information

      Active Directory query

      Configure the following for this setting type:

      • LDAP prefix - Specify a valid prefix to the Active Directory Domain Services query to assess compliance on client computers. You can use either LDAP:// for a or GC:// to perform a global catalog search..

      • Distinguished Name (DN) - Specify the distinguished name of the Active Directory Domain Services object that is assessed for compliance on client computers.

        For example, if you want to evaluate a value related to a user named John Smith in the corp.contoso.com domain, enter the following:

        CN=John Smith, CN=Users, DC=corp, DC=Contoso, DC=com

      • Search filter - Specify an optional LDAP filter to refine the results from the Active Directory Domain Services query to assess compliance on client computers.

        To return all results from the query, enter (objectclass=*).

      • Search scope - Specify the search scope in Active Directory Domain Services:

        • Base - Queries only the object that is specified.

        • One Level - This option is not used in this version of Configuration Manager.

        • Subtree - Queries the object that is specified and its complete subtree in the directory.

      • Property - Specify the property of the Active Directory Domain Services object that is used to assess compliance on client computers.

        For example, if you want to query the Active Directory property badPwdCount, which stores the number of times a user incorrectly enters a password, enter badPwdCount in this field.

      • Query - Displays the query constructed from the entries in LDAP prefix, Distinguished name (DN), Search Filter (if specified), and Property, which are used to assess compliance on client computers.

      For more information about constructing LDAP queries, see your Windows Server documentation.

      Assembly

      Configure the following for this setting type:

      • Assembly name: Specifies the name of the assembly object that you want to search for. The name cannot be the same as other assembly objects of the same type and must be registered in the Global Assembly Cache. The assembly name can be up to 256 characters long.

      noteNote
      An assembly is a piece of code that can be shared between applications. Assemblies can have the file name extension .dll or .exe. The Global Assembly Cache is a folder named %systemroot%\Assembly on client computers where all shared assemblies are stored.

      File system

      Configure the following for this setting type:

      • Type – In the list, select whether you want to search for a File or a Folder.

      • Path - Specify the path of the specified file or folder on client computers. You can specify system environment variables and the %USERPROFILE% environment variable in the path.

        noteNote
        If you use the %USERPROFILE% environment variable in the Path or File or folder name boxes, all user profiles on the client computer are searched, which could result in multiple instances of the file or folder that is found.

        If compliance settings do not have access to the specified path, a discovery error is generated. Additionally, if the file you are searching for is currently in use, a discovery error is generated.

      • File or folder name - Specify the name of the file or folder object to search for. You can specify system environment variables and the %USERPROFILE% environment variable in the file or folder name. You can also use the wildcards * and ? in the file name.

        noteNote
        If you specify a file or folder name and use wildcards, this combination might produce a high numbers of results and could result in high resource use on the client computer and high network traffic when reporting results to Configuration Manager.

      • Include subfolders – Enable this option if you also want to search any subfolders under the specified path.

      • This file or folder is associated with a 64-bit application - If enabled, only 64-bit file locations (such as %ProgramFiles%) will be checked on 64-bit computers. If this option is not enabled, both 32-bit (such as %ProgramFiles(x86)%) and 64-bit locations will be checked.

        noteNote
        If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit computer, multiple files are discovered by the global condition.

      The File system setting type does not support specifying a UNC path to a network share in the Path box.

      IIS metabase

      Configure the following for this setting type:

      • Metabase path - Specify a valid path to the Internet Information Services (IIS) Metabase.

      • Property ID - Specify the numeric property of the IIS Metabase setting.

      Registry key

      Configure the following for this setting type:

      • Hive – In the list, select the registry hive that you want to search in.

      • Key - Specify the registry key name that you want to search for. Use the format key\subkey.

      • This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows.

        noteNote
        If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.

      Registry value

      Configure the following for this setting type:

      • Hive - In the list, select the registry hive that you want to search in.

      • Key - Specify the registry key name that you want to search for. Use the format key\subkey.

      • Value – Specify the value that must be contained within the specified registry key.

      • This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows.

        noteNote
        If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.

      You can also click Browse to browse to a registry location on the computer or on a remote computer. To browse a remote computer, you must have administrator rights on the remote computer and the remote computer must be running the remote registry service.

      Script

      Configure the following for this setting type:

      • Discovery script – Click Add to enter, or browse to the script you want to use. You can use Windows PowerShell, VBScript, or Microsoft JScript scripts.

      • Run scripts by using the logged on user credentials – If you enable this option, the script runs on client computers that use the credentials of the logged-on users.

        noteNote
        The value returned by the script is used to assess the compliance of the global condition. For example, when using VBScript, you could use the command WScript.Echo Result to return the Result variable value to the global condition.

      SQL query

      Configure the following for this setting type:

      • SQL Server instance – Choose whether you want the SQL query to run on the default instance, all instances, or a specified database instance name.

        noteNote
        The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server instance, you should use a script setting.

      • Database - Specify the name of the Microsoft SQL Server database against which you want to run the SQL query.

      • Column - Specify the column name returned by the Transact-SQL statement that is used to assess the compliance of the global condition.

      • Transact-SQL statement – Specify the full SQL query you want to use for the global condition. You can also click Open to open an existing SQL query.

        ImportantImportant
        SQL Query settings do not support any SQL commands that modify the database. You can only use SQL commands that read information from the database.

      WQL query

      Configure the following for this setting type:

      • Namespace - Specify the Windows Management Instrumentation (WMI) namespace which is used to build a WQL query that is assessed for compliance on client computers. The default value is Root\cimv2.

      • Class - Specifies the WMI class which is used to build a WQL query that is assessed for compliance on client computers.

      • Property - Specifies the WMI property which is used to build a WQL query that is assessed for compliance on client computers.

      • WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a WHERE clause to be applied to the specified namespace, class, and property on client computers.

      XPath query

      Configure the following for this setting type:

      • Path - Specify the path of the .xml file on client computers that is used to assess compliance. Configuration Manager supports the use of all Windows system environment variables and the %USERPROFILE% user variable in the path name.

      • XML file name - Specify the file name containing the XML query that is used to assess compliance on client computers.

      • Include subfolders - Enable this option if you also want to search any subfolders under the specified path.

      • This file is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\System32) should be searched in addition to the 32-bit system file location (%windir%\Syswow64) on Configuration Manager clients that are running a 64-bit version of Windows.

      • XPath query - Specify a valid full XML path language (XPath) query that is used to assess compliance on client computers.

      • Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes to be used during the XPath query.

      ImportantImportant
      If you attempt to discover an encrypted .xml file, compliance settings find the file, but the XPath query produces no results, and no error is generated.

      noteNote
      If the XPath query is not valid, the setting is evaluated as noncompliant on client computers.

    • Data type: In the list, choose the format in which the condition returns the data before it is used to assess the setting. The Data type list is not displayed for all setting types.

      noteNote
      The Floating point data type supports only 3 digits after the decimal point.

  3. Configure additional details about this setting under the Setting type list. The items you can configure vary depending on the setting type you have selected.

    noteNote
    When you create settings of the type File system, Registry key, and Registry value, you can click Browse to configure the setting from values on a reference computer. To browse to a registry key or value on a remote computer, the remote computer must have the Remote Registry service enabled.

  4. Click OK to save the setting and close the Create Setting dialog box.

Use the following procedure to configure compliance rules for the configuration item.

Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be evaluated for compliance, it must have at least one compliance rule. WMI, registry, and script settings let you remediate values that are found to be noncompliant. You can create new rules or browse to an existing setting in any configuration item to select rules in it.

  1. On the Compliance Rules page of the Create Configuration Item Wizard, click New.

  2. In the Create Rule dialog box, provide the following information:

    • Name: Enter a name for the compliance rule.

    • Description: Enter a description for the compliance rule.

    • Selected setting: Click Browse to open the Select Setting dialog box. Select the setting that you want to define a rule for, or click New Setting. When you are finished, click Select.

      noteNote
      You can also click Properties to view information about the currently selected setting.

    • Rule type: Select the type of compliance rule that you want to use:

      • Value Create a rule that compares the value returned by the configuration item against a value that you specify.

      • Existential Create a rule that evaluates the setting depending on whether it exists on a client device or on the number of times it is found.

    • For a rule type of Value, specify the following information:

      • The setting must comply with the following rule – Select an operator and a value which is assessed for compliance with the selected setting. You can use the following operators:

         

        Operator More information

        Equals

        No additional information

        Not equal to

        No additional information

        Greater than

        No additional information

        Less than

        No additional information

        Between

        No additional information

        Greater than or equal to

        No additional information

        Less than or equal to

        No additional information

        One of

        In the text box, specify one entry on each line.

        None of

        In the text box, specify one entry on each line.

      • Remediate noncompliant rules when supported – Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Configuration Manager can automatically remediate the following rule types:

        • Registry value – The registry value is remediated if it is noncompliant, and created if it does not exist.

        • Script (by automatically running a remediation script).

        • WQL Query

        ImportantImportant
        You can only remediate noncompliant rules when the rule operator is set to Equals.

      • Report noncompliance if this setting instance is not found – The configuration item reports noncompliance if this setting is not found on client computers.

      • Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following:

        • None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports.

        • Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports.

        • Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports.

        • Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports.

        • Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

      • For a rule type of Existential, specify the following information:

        noteNote
        The options shown might vary depending on the setting type you are configuring a rule for.

        • The setting must exist on client devices

        • The setting must not exist on client devices

        • The setting occurs the following number of times:

      • Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following:

        • None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports.

        • Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports.

        • Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports.

        • Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports.

        • Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also logged as a Windows event in the application event log.

  3. Click OK to close the Create Rule dialog box.

Use the following procedure to specify the supported platforms for the configuration item.

Supported platforms are the operating systems on which a configuration item is assessed for compliance.

  1. On the Supported Platforms page of the Create Configuration Item Wizard, specify one of the following options:

    • Select the versions of Windows that will assess this configuration item for compliance: In the list, select the Windows versions on which you want the configuration item to be assessed for compliance, or click Select all.

    • Specify the version of Windows manually: Click Edit to open the Specify Windows Version Manually dialog box, and then provide the full version number of the version of Windows on which you want the configuration item to be assessed for compliance.

      noteNote
      You can use the winver.exe command at a Windows command prompt to display the full Windows version.

  2. Click OK to close the Specify Windows Version Manually dialog box.

    noteNote
    This option is not displayed if you have selected the This configuration item contains application settings check box on the General page of the Wizard.

On the Summary page of the Wizard, review the actions that will be taken, and then complete the wizard. The new configuration item is displayed in the Configuration Items node in the Assets and Compliance workspace.

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft