About Compliance and Compliance Information in Desired Configuration Management

Aplica-se a: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Use the following information to understand the compliance information displayed in the Configuration Manager 2007 desired configuration management reports. The reports provide you with the information you need to determine why a client is non-compliant with assigned configuration baselines.

For a list of available reports, see About Reports for Desired Configuration Management.

Desired configuration management evaluates compliance on a number of different levels which consolidate to define the overall compliance of a computer. These levels include the following:

The following sections explain how compliance is evaluated. For information about how the compliance information is sent to the site, see Compliance Sent As State Messages and Status Messages in Desired Configuration Management.

Evaluating the Compliance of a Configuration Item

When a client evaluates configuration items within an assigned configuration baseline, evaluation happens in the following order:

  • Applicability

  • Detection

  • Compliance of objects and settings

The results of the evaluation are reported as the configuration item's Actual Compliance, and reported as one of the values in the following table.

 

Actual Compliance Value Description

Not Applicable

This value is determined by the applicability property of the configuration item (for example, an exact Microsoft Windows platform version).

If the configuration item is not applicable to the client computer, detection is not evaluated, and the objects and settings in the configuration item are not evaluated.

Not Detected

This value is determined by the detection method configured for an application configuration item or the Windows version configured for an operating system configuration item.

If a configuration item is configured for detection and the configuration item is evaluated as not detected on a client computer, evaluation stops and the objects and settings in the configuration item are not evaluated.

Compliant or Non-Compliant

This value is determined by the object and settings properties and their configured valuation criteria, and the non-compliance severity level if the configured object or setting or does not exist on a client computer.

If the configuration item is applicable and detected, the configuration item is evaluated for compliance with its objects and settings, using the valuation criteria defined for them. The compliance for the configuration reports Compliant or Non-Compliant, as determined by the compliance evaluation.

Failed

This situation could arise as a result of invalid Service Modeling Language (SML) specified in the configuration item.

For more information about SML and its use in desired configuration management, see About Authoring Configuration Data for Desired Configuration Management.

For detailed information about how each configuration item is evaluated, see How Each Configuration Item is Evaluated for Compliance in Desired Configuration Management.

Evaluating the Compliance of a Configuration Baseline Rule

After a configuration item is evaluated for compliance, its Actual Compliance is then evaluated against the configuration baseline rule to which it is applied. The result of this evaluation determines the compliance of the configuration baseline rule.

The configuration baseline rules are as follows:

  • One of the following operating system configuration items must be present and properly configured.

  • These applications and general configuration items are required and must be properly configured.

  • If these optional application configuration items are detected, they must be properly configured.

  • These software updates must be present.

  • These application configuration items must not be present.

  • These configuration baselines must also be validated.

These configuration baseline rules are displayed in the reports as the Required Compliance.

The following table lists the Required Compliance for each configuration baseline rule.

 

Configuration Baseline Rule Required Compliance

One of the following operating system configuration items must be present and properly configured.

One of many

These applications and general configuration items are required and must be properly configured.

Required

If these optional application configuration items are detected, they must be properly configured.

Optional

These software updates must be present.

Required

These application configuration items must not be present.

Prohibited

These configuration baselines must also be validated.

Required

The Actual Compliance value (Not Applicable, Detected, Compliant or Non-Compliant) is compared with the Required Compliance of the configuration baseline rule. The results of this comparison determine whether the configuration baseline rule is compliant, or non-compliant:

  • If the Actual Compliance aligns to the Required Compliance, the configuration item is compliant with its configuration baseline rule.

  • If the Actual Compliance conflicts with the required compliance, the configuration item is non-compliant with its configuration baseline rule.

The following table shows how the configuration item’s Actual Compliance aligns or conflicts with the Required Compliance of each configuration baseline rule, which determines the compliance of the configuration baseline rule.

 

Configuration Baseline Rule Required Compliance Actual Compliance values that results in the configuration baseline rule being Compliant Actual Compliance values that results in the configuration baseline rule being Non-compliant

One of the following operating system configuration items must be present and properly configured.

One of Many

  • Compliant

  • Not Detected

    (if no operating systems items are detected)

  • Non-Compliant

    (if any one operating system item is non-compliant)

These applications and general configuration items are required and must be properly configured.

Required

  • Not Applicable

  • Compliant

  • Non-Compliant

If these optional application configuration items are detected, they must be properly configured.

Optional

  • Not Applicable

  • Not Detected

  • Compliant

  • Non-compliant

These software updates must be present.

Required

  • Not Applicable

  • Compliant

  • Not Detected

These application configuration items must not be present.

Prohibited

  • Not Applicable

  • Not Detected

  • Compliant

  • Non-Compliant

These configuration baselines must also be validated.

Required

  • Compliant

  • Non-compliant

Evaluating the Compliance of Each Configuration Baseline

For each configuration baseline assigned to a client computer, the compliance status has one of the values in the following table.

 

Configuration Baseline Compliance Status Description

Unknown

There is no compliance information reported from the client.

This situation could arise as a result of any of the following circumstances:

  • The client computer has not yet received the configuration baseline in its machine policy.

  • The client computer has received the configuration baseline but has not completed its evaluation.

  • The client computer cannot contact its management point when it is due to send its first compliance evaluation report.

Failed

Compliance evaluation failed.

This situation could arise as a result of invalid Service Modeling Language (SML) specified in the configuration data.

For more information about SML and its use in desired configuration management, see About Authoring Configuration Data for Desired Configuration Management.

Compliant

If all configuration baseline rules evaluate as compliant, the configuration baseline itself will be compliant.

Non-Compliant

One or more configuration baseline rules evaluate as non-compliant (for example, a required application is not detected).

Evaluating the Compliance of a Client Computer

The overall compliance of a client computer depends on the compliance results of all the configuration baselines assigned to it. The possible compliance values for a client computer are the same compliance values as those used for a single configuration baseline. However, the compliance of all configuration baselines is aggregated.

For example, the client is compliant only if all configuration baselines evaluation as compliant. If a single configuration baseline from the total configuration baselines assigned to the client is non-compliant, the overall compliance of the client evaluates as non-compliant.

Consulte Também

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.

Conteúdo da Comunidade

Mostrar: