Article
07/27/2015

Example Scenario for Compliance Settings in Configuration Manager

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide.

This topic provides an example scenario for how you can use compliance settings in System Center 2012 Configuration Manager to remediate a failed application installation because a registry key is being overwritten.

In this scenario, Woodgrove Bank uses a line of business application that provides access to standard company forms on the desktop of users’ computers. Many users are reporting that this application fails to run. John is the Configuration Manager administrator at Woodgrove bank who must troubleshoot the problem and ensure that it does not recur in the future. After investigation, John realizes that a second application overwrites a registry key that is used by the line of business application. He tests this by correcting the registry key value on a computer. This change allows the line of business application to run. John requires a way to correct this registry key value on all desktop and laptop computers at Woodgrove Bank when it is not correct. He also requires that if the registry value is changed again in the future, the problem is automatically corrected.

John wants to evaluate the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1. If this registry key contains the value 0 then it is noncompliant and must be remediated with a value of 1.

John discovers that compliance settings in System Center 2012 Configuration Manager can monitor for, and automatically remediate incorrect registry key values and decides to use this to solve the business problem.

The following sections in this topic provide steps that can help you to create, deploy, and manage compliance settings in your organization:

Preparing to perform the scenarios
Step 1: Create a configuration item
Step 2: Create a configuration baseline
Step 3: Deploy the configuration baseline
Step 4: Monitor the configuration baseline deployment

Preparing to perform the scenarios

Before John can begin to use compliance settings, he takes the actions outlined in the following table.

Process	Reference
John reviews the available information about the basic concepts for compliance settings in System Center 2012 Configuration Manager.	For overview information about compliance settings, see Introduction to Compliance Settings in Configuration Manager.
John reviews and implements the required prerequisites for compliance settings.	For information about the prerequisites for compliance settings, see Prerequisites for Compliance Settings in Configuration Manager.

Step 1: Create a configuration item

John creates a configuration item that contains the settings to evaluate and remediate the registry setting by taking the actions outlined in the following table.

Process	Reference
John reads the compliance settings documentation and decides that an operating system configuration item would best meet his business requirements.	For more information, see How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.
John starts the Create Configuration Item Wizard and specifies general information about the configuration item. He creates a configuration item of the type Windows and does not check the This configuration item contains application settings box. He names the configuration item Woodgrove Bank Configuration Item 1.	For more information, see the sections Step 1: Start the Create Configuration Item Wizard and Step 2: Provide General Information about the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.
On the Supported Platforms page of the Create Configuration Item Wizard, John specifies the operating systems to evaluate the configuration item for compliance. John ensures that no Windows Server operating systems are selected that fulfills the requirement that the configuration item is not evaluated on computers that run Windows Server.	For more information, see the section Step 6: Specify Supported Platforms for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.
On the Settings page of the wizard, John clicks New to open the Create Setting dialog box and to create a new setting with the following parameters: Name – John enters Woodgrove Bank registry setting. Setting type – From the drop-down list, John selects Registry value. Data type – Because John wants to detect a value of 1 or 0 for the registry key, he selects Integer from the drop-down list. Hive – From the drop-down list, he selects HKEY_LOCAL_MACHINE. Key – John enters SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1. Value – John enters 1, which is the required value for this registry key.	For more information about how to create settings, see the section Step 4: Configure Settings for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.
In the Compliance Rules tab of the Create Settings dialog box, John clicks New to create a new rule that defines the compliant value for the Woodgrove Bank registry setting. In the Create Rule dialog box, he verifies or supplies the following parameters: Name – John enters Rule 1. Selected setting – John verifies that the selected setting is Woodgrove Bank registry setting\Woodgrove Bank registry setting. Rule type – From the drop-down list, John selects Value. The setting must comply with the following rule – John verifies that the setting name is correct and configures the options to specify that the setting value must equal 1. Remediate noncompliant rules when supported – John checks this box to ensure that configuration manager will reset the registry key value to the correct value if it is incorrect. John completes the wizard and the new configuration item is displayed in the Configuration Items node of the Assets and Compliance workspace.	For more information about how to create settings, see the section Step 4: Configure Settings for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

Step 2: Create a configuration baseline

John takes the actions outlined in the following table to create a configuration baseline that contains the configuration item he previously created and can be deployed to client computers.

Process	Reference
John opens the Create Configuration Baseline dialog box and specifies the name Woodgrove Back Configuration Baseline 1.	For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.
John adds the configuration item that he previously created, Woodgrove Bank Configuration Item 1 into the configuration baseline. John clicks OK to close the Create Configuration Baseline dialog box and the new configuration baseline is displayed in the Configuration Baselines node of the Assets and Compliance workspace.	For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

John opens the Create Configuration Baseline dialog box and specifies the name Woodgrove Back Configuration Baseline 1.

For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

John adds the configuration item that he previously created, Woodgrove Bank Configuration Item 1 into the configuration baseline.

John clicks OK to close the Create Configuration Baseline dialog box and the new configuration baseline is displayed in the Configuration Baselines node of the Assets and Compliance workspace.

For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

Step 3: Deploy the configuration baseline

To deploy the configuration baseline to computers, John takes the actions outlined in the following table.

Process	Reference
John creates a device collection that contains all computers that run a desktop operating system in the Woodgrove Bank hierarchy. He names this collection All Desktop and Laptop Computers.	For information about how to create collections, see How to Create Collections in Configuration Manager
John opens the Deploy Configuration Baselines dialog box, verifies that Woodgrove Back Configuration Baseline 1 is displayed in the Selected configuration baselines list, and then specifies the following additional information: Remediate noncompliant rules when supported – John checks this box to enable Configuration Manager to remediate the incorrect registry key value when it is discovered. Select the collection for this configuration baseline deployment – John clicks Browse and then selects the All Desktop and Laptop Computers device collection. John does not change the default schedule that clients evaluate the configuration item every 7 days. John completes the wizard and the deployment is displayed in the Deployments node of the Monitoring workspace.	For more information about how to deploy configuration baselines, see How to Deploy Configuration Baselines in Configuration Manager.

John creates a device collection that contains all computers that run a desktop operating system in the Woodgrove Bank hierarchy. He names this collection All Desktop and Laptop Computers.

For information about how to create collections, see How to Create Collections in Configuration Manager

John opens the Deploy Configuration Baselines dialog box, verifies that Woodgrove Back Configuration Baseline 1 is displayed in the Selected configuration baselines list, and then specifies the following additional information:

Remediate noncompliant rules when supported – John checks this box to enable Configuration Manager to remediate the incorrect registry key value when it is discovered.
Select the collection for this configuration baseline deployment – John clicks Browse and then selects the All Desktop and Laptop Computers device collection.

John does not change the default schedule that clients evaluate the configuration item every 7 days.

John completes the wizard and the deployment is displayed in the Deployments node of the Monitoring workspace.

For more information about how to deploy configuration baselines, see How to Deploy Configuration Baselines in Configuration Manager.

Step 4: Monitor the configuration baseline deployment

After John deploys the configuration baseline, he takes the actions outlined in the following table to monitor the deployment and ensure that computers are now reporting compliance for the registry key.

Process	Reference
In the Deployments node of the Monitoring workspace, John selects the Woodgrove Back Configuration Baseline 1 configuration baseline. In the Completion Statistics section, he views general information about the devices that are compliant, noncompliant, in error, or have not reported compliance information yet (unknown). In the Home tab, in the Deployment group, he clicks View Status to view detailed information about the devices that report each status.	For more information about how to monitor compliance settings, see the section How to View Compliance Results in the Configuration Manager Console in the topic How to Monitor for Compliance Settings in Configuration Manager.
After some time, John sees that no computers report noncompliance for the registry key value and he is able to report to his manager that the problem has been solved.	No additional information.

In the Deployments node of the Monitoring workspace, John selects the Woodgrove Back Configuration Baseline 1 configuration baseline.

In the Completion Statistics section, he views general information about the devices that are compliant, noncompliant, in error, or have not reported compliance information yet (unknown).

In the Home tab, in the Deployment group, he clicks View Status to view detailed information about the devices that report each status.

For more information about how to monitor compliance settings, see the section How to View Compliance Results in the Configuration Manager Console in the topic How to Monitor for Compliance Settings in Configuration Manager.

After some time, John sees that no computers report noncompliance for the registry key value and he is able to report to his manager that the problem has been solved.

No additional information.

Share via