Using Desired Configuration Management to Monitor Client Compliance
Applies To: Forefront Endpoint Protection
Forefront Endpoint Protection (FEP) includes Desired Configuration Management (DCM) configuration baselines. DCM, a feature of System Center Configuration Manager, allows you to assess computer configuration against configuration baselines. To learn more about DCM and configuring baselines, see Desired Configuration Management in Configuration Manager (https://go.microsoft.com/fwlink/?LinkId=206684) in the Configuration Manager documentation.
FEP provides the following predefined configuration baselines:
Note
All FEP baselines are read-only.
FEP - High-Security Desktop
FEP - Laptop
FEP - Performance-Optimized Desktop
FEP - Standard Desktop
By default, these baselines are not assigned to collections. In order to see the summary results of these baselines or any custom baselines you create and assign to the FEP dashboard, you must assign it to a collection and then run a DCM Home Page Summarization from the DCM home page in the Configuration Manager console. For more information about using the DCM home page, see How to Use the Desired Configuration Management Home Page (https://go.microsoft.com/fwlink/?LinkId=207094) in the Configuration Manager documentation.
Warning
The following configuration baselines are used by the FEP dashboard, and you must not modify the collections to which they are assigned:
- FEP Monitoring - Antimalware Status
- FEP Monitoring - Definitions and Health Status
- FEP Monitoring - Malware Activity
- FEP Monitoring - Malware Detections
Important
In order to use DCM in Configuration Manager, you must enable DCM on the Configuration Manager client agent. For more information about how to do this, see How to Enable or Disable the Desired Configuration Manager Client Agent (https://go.microsoft.com/fwlink/?LinkId=206661) in the Configuration Manager documentation.
Managing FEP DCM Baselines
Because FEP DCM baselines are read-only, you cannot directly modify the configuration items or rules from which they are composed. If you need to add additional configuration items or rules to a FEP baseline, you must first duplicate the target baseline and then edit the new baseline.
Note
If you need to reduce the amount of time it takes to update information generated by a baseline and have it display in the Forefront Endpoint Protection dashboard, you can modify the schedule of the baseline assignment that generates that data. However, modifying the schedule of a built-in baseline assignment could adversely impact the performance of your Configuration Manager server.
For more information about how to modify the schedule of an assigned baseline, see How to Set the Configuration Baseline Assignment Compliance Evaluation Schedule in Desired Configuration Management (https://go.microsoft.com/fwlink/?LinkId=206696) in the Configuration Manager documentation.To duplicate a FEP baseline
In the Configuration Manager console, in the tree, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Desired Configuration Management, and then click Configuration Baselines.
In the details pane, right-click the configuration baseline you want to duplicate, and then click Duplicate.
After you duplicate the desired FEP baseline, you can edit it by right-clicking the duplicated baseline, and then clicking Properties.
For more information about implementing customized DCM baselines, see the following topics in the Configuration Manager documentation:
How to Configure Configuration Items for Desired Configuration Management (https://go.microsoft.com/fwlink/?LinkId=206685)
How to Modify a Configuration Baseline in Desired Configuration Management (https://go.microsoft.com/fwlink/?LinkId=206687)
How to Manage Configuration Baselines and Configuration Items for Desired Configuration Management (https://go.microsoft.com/fwlink/?LinkId=206688)
The FEP dashboard contains a list of baselines that are assigned to the category *FEP*. When you duplicate a baseline, this category field is also duplicated. You can assign any baseline to the *FEP* category and have its statistics appear in the FEP dashboard.
To assign a category to a baseline
In the Configuration Manager console, in the tree, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Desired Configuration Management, and then click Configuration Baselines.
In the details pane, right-click the configuration baseline you want to duplication, and then click Properties.
In the baseline properties dialog box, on the General tab, click the Categories button, and then in the Available categories list, select the check box next to FEP, and then click OK.
In the baseline properties dialog box, click OK.
To see the new baseline in the FEP dashboard, after assigning the baseline to a collection, when viewing the FEP dashboard, in the Actions pane, click Refresh.
Warning
Configuration baseline rules should contain no more than 300 software updates. If you create a rule with more than 300 software updates, the baseline to which the rule is assigned does not evaluate the client computers correctly. For more information, see Microsoft Knowledge Base article 937532 (https://go.microsoft.com/fwlink/?LinkId=207668).
Monitoring Baseline Compliance
FEP configuration baselines are composed of configuration items that are monitored and the rules that define compliance. The configuration baselines are assigned to computers you want to monitor by using collections and are evaluated both on a schedule and when a security incident (such as a malware detection) occurs.
Note
By default, no baselines are assigned to collections. In order to see baseline results in the FEP dashboard, you must assign a baseline to a collection.
Client computers can have multiple configuration baselines assigned to them, which provides you with a high level of control.
To assign a FEP baseline to a collection
In the Configuration Manager console, in the tree, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Desired Configuration Management, and then click Configuration Baselines.
Tip
To limit the list to FEP configuration baselines, in the Look for box, enter the following text, and then click Find Now:
FEP.Right-click the configuration baseline you want to assign, and then click Assign to a Collection.
The Assign Configuration Baseline Wizard opens.
On the Choose Baselines page, click Next.
On the Choose Collection page, click Browse, choose a collection, click OK, and then click Next.
On the Set Schedule page, configure how frequently you want the Configuration Manager client agent to evaluate compliance to the baseline. When finished, click Next.
Warning
When setting the schedule for a baseline, you should consider how much impact the data reporting may have on your Configuration Manager server.
On the Summary page, review the Details, and then click Next.
On the Wizard Competed page, click Close.
After you assign a baseline to a collection, the client computers in the collection evaluate their compliance against each configuration baseline to which they are assigned, and immediately report back the results to the site. If a client is not currently connected to the network, but has downloaded the configuration items referenced in its assigned configuration baselines, the compliance information will be sent on reconnection.
You can monitor the results of configuration baseline evaluation compliance from the FEP dashboard.
Note
Dashboard statistics are based on data gathered by Configuration Manager at scheduled intervals and may not reflect the most recent information.
To monitor the results of the configuration baseline evaluation compliance
In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Forefront Endpoint Protection.
In the details pane, in the Forefront Endpoint Protection Baselines area, you can see the compliance results of the built-in Forefront Endpoint Protection configuration baselines. The following list summarizes the meaning of the columns:
Baseline—The name of the FEP configuration baseline.
Severity—The severity level configured in the configuration item if non-compliance is reported or if the configuration item is not present on the client computer.
Assigned—The number of computers that are assigned to the configuration baseline.
Non-compliant—The number of computers that report a non-compliance status with the selected baseline.
Compliance—The number of computers that report a compliance status with the selected baseline.
Failed—The number of computers that report a failure evaluating their compliance status with the selected baseline.
Compliance Level (expressed as a number percentage)—The number of computers that report a compliance status, with the selected baseline divided by the number of computers assigned the configuration baseline, expressed as a number percentage.
Periodically viewing these results allows you to ascertain the overall compliance of computers in your organization.
To view detail in the summary report of a configuration baseline, in the Forefront Endpoint Protection Baselines area, click the link of the configuration baseline you want to view.
To view more detail in the report, next to each line for which you want to view more detail, click the arrow icon.
Tip
You can also view the compliance status of a baseline on a client computer. In the Control Panel, open Configuration Manager, and then click the Configurations tab. Click Evaluate to run a baseline compliance check, or click View Report to see the results of a selected compliance report.