Compliance Settings in SCCM 2012 SP1. This was called ‘Desired Configuration Management’ in SCCM 2007. Compliance Settings consist of ‘Configuration Items’ and ‘Configuration Baselines’. There is another node here: ‘User Data and Profiles’. This one is not a Compliance Setting but Folder Redirection from within the ConfigMgr Console…(hmm well that’s what GPO’s are for, aren’t they?)
The Compliance Settings help you to assess the compliance of Users and/or Devices for all kind of configurations in your organization. For instance: right OS version, updates, hotfixes, applications, application settings, prohibited applications etc.
The Configuration Items do all the magic. They can be of various kinds:
- Mobile Device;
- Mac OS X.
And can query through various ways. Configuration Items can also remediate non-compliant settings if you like!
Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must or like to have. You can import this configuration data from Microsoft System Center Configuration Manager Configuration Packs which can contain best practices that are defined by Microsoft and other vendors, into ConfigMgr. You can create new configuration items and configuration baselines yourself for your own applications.
After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them.
Configuration items: A collection of settings, values, and criteria that defines what is compared, checked, or evaluated on a target system.
Configuration baselines: Contains one or multiple configuration items. Configuration items must be part of a configuration baseline to be assigned for evaluation on a collection of systems.
To use Compliance Settings in your environment there are a few steps you have to take:
- Enable Compliance Settings on your clients;
- Reporting Services must be installed as a site role.
Enable Compliance Settings on your clients.
Go to: Administration, Client Settings
Edit or Create ‘Client Device Settings‘
Select ‘Compliance Settings‘
And select ‘Enable compliance evaluation on clients‘ to Yes
Then deploy the Client Device Settings to a collection.
Reporting Services must be installed as a site role.
The Reporting services point is installed.
Now you can Add Configuration Items and Define Configuration Baselines!
That’s next time!