Contents

Device compliance documentation

Understand and explore
Ensure device compliance
Get started
Get started with compliance settings
Plan and design
Plan for, and configure compliance settings
Tasks for managing compliance
Common tasks for managing compliance
Devices with the Configuration Manager client
Create and deploy configuration baselines
Security and privacy
Deploy and use
Create configuration items
Create configuration items overview
Devices managed with the Configuration Manager client
Windows 10
Mac OS X
Windows desktop and server (custom)
Create child configuration items
Create configuration baselines
Deploy configuration baselines
Manage configuration data
Manage configuration data
Import configuration data
Create user data and profiles configuration items
OneDrive for Business Profiles
Create remote connection profiles
Upgrade Windows devices to a new edition
Configure Microsoft Edge Legacy settings
Monitor compliance settings
 Ensure device compliance with Configuration
Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Compliance settings in Configuration Manager gives you the tools and resources you need to manage the
configuration and compliance of devices in your organization. This helps you support the following business
requirements:
Compare the configuration of Windows PCs, Macs computers, servers, and mobile devices you manage
against best practices configurations you create, or obtain from other vendors
Identify unauthorized device configurations
Report compliance with regulatory policies and in-house security policies
Identify security vulnerabilities
Provide the help desk with the information to detect probable causes of reported incidents and problems by
identifying noncompliant configurations
Automatically remediate some noncompliant settings on mobile devices
Remediate noncompliance by deploying applications, packages and programs, or scripts to a collection that
is automatically populated with devices that report that they are out of compliance

Get started
Learn the basics about compliance settings, and the tasks you can accomplish with them.
Get started with compliance settings

Plan and design

Before you start working with compliance settings, make sure you have implemented the necessary prerequisites
that you'll find in this topic.
Plan for and configure compliance settings

Common tasks
In this section, you'll find some common scenarios that will help you learn to use compliance settings in
Configuration Manager.
Common tasks for managing compliance

Remote connection profiles

This configuration item type allows you to configure your user's PCs to remotely connect to work computers when
they are not connected to the domain or if their personal computers are connected over the Internet.
Create remote connection profiles
User data and profiles
This configuration item type contains settings that can manage folder redirection, offline files and roaming profiles
on computers that run Windows 8 and later for users in your hierarchy.
Create user data and profiles configuration items

Windows edition upgrade policy

The edition upgrade policy lets you automatically upgrade Windows 10 devices to a newer version. You can specify
a product key to upgrade Windows 10 desktop versions, or a license file that can be used to upgrade devices
running Windows 10 Mobile and Windows 10 Holographic.
Upgrade Windows devices with the edition upgrade policy
 Get started with compliance settings in Configuration
Manager
9/4/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before creating Configuration Manager compliance settings, first learn about core concepts and understand how
they work.

How compliance settings work

Compliance settings let you manage the configuration and compliance of clients in your organization.
Configuration items fall into two main categories:
Settings for devices that are managed with the Configuration Manager client - typically devices
on which you've installed Configuration Manager client software to let you manage the device.
Settings for devices that are managed without the Configuration Manager client - typically
devices that are managed with Microsoft Intune, or with Configuration Manager on-premises device
management.

What devices are supported?

DEVIC E T Y P E M O RE IN F O RM AT IO N

Windows PCs (with the Configuration Manager client) Create custom configuration items to assess objects such as
registry keys, files, and Active Directory attributes.

When you use the Windows 10 configuration item type, select

settings from a predefined list.

Windows PCs (enrolled with on-premises MDM) Select settings from a predefined list.

Windows Phone devices (enrolled with on-premises MDM) Select settings from a predefined list.

Mac computers (with the Configuration Manager client) Create custom configuration items to assess objects such as
macOS preferences, and results returned by a script.

What is a configuration item?

A configuration item is a container that stores specific information. The information you configure depends on the
configuration item type. Configuration items can include the following information:
Detection method information is only for Windows configuration items that contain application
settings. It detects whether an application is installed. This detection uses the Windows installer file for the
application, or by using a custom script.
Settings represent the business or technical conditions to assess compliance on client devices. Configure a
new setting or browse to an existing setting on a reference computer.
Compliance rules specify the conditions that define the compliance of a configuration item setting. Before
 the client evaluates a setting for compliance, it must have at least one compliance rule. Some settings
remediate noncompliant values. Create new rules, or browse to an existing setting in any configuration item
and select rules in it.
Suppor ted platforms are the device platforms you define on which the client evaluates compliance of the
configuration items. If you deploy a configuration item to a device that is not in the supported platforms list,
it does not evaluate compliance.

What is a configuration baseline?

Define a configuration baseline that includes the configuration items to evaluate. Also include the settings and
rules that describe the required level of compliance. Import this configuration data from Configuration Manager
configuration packs. Microsoft and other vendors define these configuration packs. Or create new configuration
items and configuration baselines.
After you define a configuration baseline, deploy it to user and device collections. The client then evaluates the
baseline settings for compliance on a schedule. You can deploy more than one configuration baseline to devices.
This granularity provides greater control of compliance.
Client devices evaluate their compliance against each deployed configuration baseline and immediately report the
results to the site by using state messages and status messages. If a device is currently disconnected from the
network, but downloaded the configuration baseline, it still evaluates compliance of the configuration items. It
sends the compliance information when it reconnects.
Monitoring configuration baselines
Monitor the results of the compliance evaluation in the Configuration Manager console, under the Monitoring
workspace, in the Deployments node. For example:
Common causes of noncompliance
Errors
The number of affected users and devices
Run compliance settings reports with additional details. For example:
Which devices are compliant or non-compliant
Which element of the configuration baseline is causing a computer to be non-compliant
View compliance evaluation results from Windows computers running the Configuration Manager client. Open
the Configuration Manager control panel, and switch to the Configurations tab.

User data and profiles configuration items

Configuration items for user data and profiles include settings that control how users on computers that run
Windows 8 and later manage:
Folder redirection
Offline files
Roaming profiles
Deploy these configuration items to user collections. Monitor their compliance from the Monitoring node of the
Configuration Manager console. Unlike other configuration items, don't add them to configuration baselines
before you deploy them. Deploy them directly by clicking Deploy in the ribbon.
For more information, see Create user data and profiles configuration items.

Remote connection profiles

Remote connection profiles provide a set of tools and resources to help you create, deploy, and monitor remote
connection settings. By deploying these settings to devices, you minimize the effort that end users require to
connect their computers to the corporate network.
For more information, see Create remote connection profiles.

Windows edition upgrade

The edition upgrade policy automatically upgrades devices that run certain versions of Windows 10 to a newer
edition. This policy supplies a new product key or license file that the device consumes to upgrade.
For more information, see Upgrade Windows devices with the edition upgrade policy

Microsoft Edge Legacy browser profiles

For customers who use the Microsoft Edge Legacy web browser on Windows 10 clients, create a Configuration
Manager compliance policy to configure the browser settings.
For more information, see Microsoft Edge Legacy browser profiles.
 Plan for and configure compliance settings in
Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you start working with Configuration Manager compliance settings, there are a few prerequisites you need
to know about, and some configuration tasks you'll need to perform.

Prerequisites for compliance settings

P REREQ UISIT E M O RE IN F O RM AT IO N

Windows Configuration Manager clients must be enabled and See below

configured for compliance evaluation.

If you want to run reports, then you must configure reporting Introduction to reporting
for your site.

Required security permissions. The Compliance Settings Manager security role includes
the necessary permissions to manage compliance settings,
user data and profiles configuration items, and remote
connection profiles.

Configure role-based administration

Enable and configure compliance settings (for Windows PCs only)

This procedure configures the default client settings for compliance settings and applies to all computers in your
hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and
assign it to a collection that contains the computers for which you want to use compliance settings. For more
information about how to create custom device settings, see How to configure client settings.

TIP
Other device types require no specific configuration to evaluate compliance settings.

1. In the Configuration Manager console, click Administration > Client Settings > Default Settings .
2. On the Home tab, in the Proper ties group, click Proper ties .
3. In the Default Settings dialog box, click Compliance Settings .
4. Configure the following client settings for compliance settings:
Enable compliance evaluation on clients - Set to True if you want to evaluate compliance on client
devices.
Schedule compliance evaluation - Click Schedule if you want to modify the default compliance
evaluation schedule on client devices.
Enable User Data and Profiles - Enable this option if you want to create and deploy user data and
profiles configuration items to Windows computers. For details, see Create user data and profiles
configuration items.
5. Click OK to close the Default Settings dialog box.
Client computers are configured with these settings the next time they download client policy.
 Common tasks for managing compliance with
Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In this section, you'll find some common scenarios that will help you learn to use compliance settings in
Configuration Manager.

For devices that run the Configuration Manager client

Common tasks for managing compliance on devices with the Configuration Manager client

For devices that do not run the Configuration Manager client

Common tasks for managing compliance on devices not running the Configuration Manager client

Scenarios for creating and deploying configuration baselines

Common tasks for creating and deploying configuration baselines with Configuration Manager
 Common tasks for managing compliance on devices
with the Configuration Manager client
9/4/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article gives you an introduction to using Configuration Manager compliance settings by guiding you through
some common scenarios that you might come across.
If you're already familiar with compliance settings, you can find detailed information about all the features you use
in Configuration items for devices managed with the Configuration Manager client.
Before you start, read Get started with compliance settings to learn some basics about compliance settings. Read
Plan for and configure compliance settings for information about necessary prerequisites.

General information for each scenario

In each scenario, you'll create a configuration item that performs a specific task. To open the Create Configuration
Item Wizard and get started, take these steps:
1. In the Configuration Manager console, select Assets and Compliance > Compliance Settings >
Configuration Items .
2. On the Home tab, in the Create group, select Create Configuration Item .
3. On the General page of the Create Configuration Item Wizard, shown in the following screenshot, specify a
name and description for the configuration item. Then choose the appropriate configuration item type for
each scenario in this article.
Scenario: Disable Bluetooth on Windows 10 devices
In this scenario, your security department has determined that the Bluetooth capability on devices could be used to
transmit sensitive corporate information outside the company. You've recently upgraded all your computers to
Windows 10. You decide to disable Bluetooth on these devices.
1. On the General page of the Create Configuration Item Wizard, select the Windows 10 configuration item
type, and then select Next .
2. On the Suppor ted Platforms page of the wizard, select all Windows 10 platforms.
3. On the Device Settings page, select Device , and then select Next .
4. On the Device page, select Prohibited as the value for Bluetooth .
5. Select Remediate noncompliant settings to ensure the change is applied to all Windows 10 devices.
6. Complete the wizard to create the configuration item.
You can now use the information in the Common tasks for creating and deploying configuration baselines with
Configuration Manager article to help you deploy the configuration you've created to devices.

Scenario: Remediate an incorrect registry value on Windows desktop

computers
NOTE
On Mac computers running the Configuration Manager client, you have two options for assessing compliance:
Evaluate a Mac OS X preferences (plist) file.
Use a custom script and evaluate the results returned by the script.
For more information, see How to create configuration items for Mac OS X devices managed with the Configuration Manager
client.

In this scenario, you discover that an important line-of-business app doesn't run correctly on some Windows 8.1
computers that you manage. You determine that this is because a registry key named
HKEY_LOCAL_MACHINE\SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1 is set to a
value of 0 on some computers. For the line-of-business app to run successfully, this value needs to be set to 1 .
In this procedure, you'll create a configuration item that monitors for and automatically remediates any incorrect
registry key values that are found.
1. On the General page of the Create Configuration Item Wizard, select the Windows Desktops and
Ser vers (custom) configuration item type, and then select Next .
2. On the Suppor ted Platforms page of the wizard, select Windows 8.1 (to ensure the configuration item
applies only to affected computers).
3. On the Settings page, select New to create a new setting.
4. On the General tab of the Create Setting dialog box, configure these settings:
Name > Example setting
Setting type > Registr y value
Data type > Integer (because the value contains a number only)
Hive > HKEY_LOCAL_MACHINE
 Key > SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1
Value > 1 (the required value)
5. On the Compliance Rules tab of the Create Setting dialog box, select New . In the Create Rule dialog
box, configure these settings:
Name > Example Rule
Selected setting > Verify that the selected setting is Example setting .
Rule type > Value
The setting must comply with the following rule > Verify that the setting name is correct and
configure the option to specify that the setting value must equal 1 .
Remediate noncompliant rules when suppor ted > Select this check box to ensure that
Configuration Manager will reset the registry key value to the correct value if it's incorrect.
6. Complete the wizard to create the configuration item.
You can now use the information in the Common tasks for creating and deploying configuration baselines article to
help you deploy the configuration you've created to devices.

Next steps
Create and deploy configuration baselines
 Common tasks for creating and deploying
configuration baselines with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic contains common scenarios to help you learn about how to create and deploy Configuration Manager
configuration baselines.
If you are already familiar with compliance settings, you can find detailed documentation about all the features
you use in the Create configuration baselines and Deploy configuration baselines topics.
Before you start, read Get started with compliance settings to learn some basics about compliance settings, and
also read Plan for and configure compliance settings to implement any necessary prerequisites.

Create a configuration baseline

In this example, you've created a configuration item for only Windows 10 PCs that run the Configuration Manager
client.
This configuration item enforces a required password of at least 6 characters on Windows 10 PCs. The
configuration item is named Windows 10 Password Enforcement .
Use the following procedure to learn how to add this configuration item to a configuration baseline to prepare it
for deployment.
1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings >
Configuration Baselines .
2. On the Home tab, in the Create group, click Create Configuration Baseline .
3. In the Create Configuration Baseline dialog box, configure the following settings:
Name - Enter Windows 10 Passwords (or another name of your choice)
4. Click Add > Configuration Items .
5. In the Add Configuration Items dialog box, select the Windows 10 Password Enforcement
configuration item that you previously created, then click Add .
6. Click OK to close the Add Configuration Items dialog box and return to the Create Configuration
Baseline dialog box.
7. Click OK to close the Create Configuration Baseline dialog box.
You can now see the configuration baseline in the Configuration Baselines node of the Configuration
Manager console.

Deploy the configuration baseline

In this example, you deploy the configuration baseline you created in the previous procedure to a collection of
computers.
1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings >
Configuration Baselines .
2. From the list of configuration baselines, select Windows 10 Passwords .
3. On the Home tab, in the Deployment group, click Deploy .
4. In the Deploy Configuration Baselines dialog box, configure the following settings:
Selected configuration baselines - Ensure that the Windows 10 Passwords configuration
baseline was automatically added to this list.
Remediate noncompliant rules when suppor ted - Check this box to ensure that if the correct
settings are not present on targeted devices, then they are remediated by Configuration Manager.
Collection - Click Browse to choose the collection of computers on which the configuration
baseline is evaluated and remediated for compliance. In this example, the configuration baseline was
deployed to the built-in All Desktop and Ser ver Clients collection.

TIP
Don't worry if the collection you choose contains computers or devices that don't run Windows 10. As long
as you configured supported platforms in the configuration item you created, only Windows 10 PCs are
evaluated for compliance.

If necessary, configure the schedule by which the configuration baseline is evaluated. Otherwise,
keep the default of 7 Days .
5. Click OK to close the Deploy Configuration Baselines dialog box and create the deployment.
If you want to take a quick look at compliance statistics for this deployment, in the Monitoring workspace,
click Deployments . At the bottom of the screen, you see a Compliance Statistics chart.

Next steps
For more detailed information about how to monitor configuration baselines, see Monitor compliance settings.
 Security and privacy for compliance settings in
Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Security best practices for compliance settings

SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

Do not monitor sensitive data. To help avoid information disclosure, do not configure
configuration items to monitor potentially sensitive
information.

Do not configure compliance rules that use data that can be If you create a compliance rule based on data that users can
modified by end users. modify, such as registry settings for configuration choices, the
compliance results will not be reliable.

Import Microsoft System Center configuration packs and Published configuration data can be digitally signed so that
other configuration data from external sources only if they you can verify the publishing source and ensure that the data
have a valid digital signature from a trusted publisher. has not been tampered with. If the digital signature
verification check fails, you are warned and prompted to
continue with the import. Do not import unsigned data if you
cannot verify the source and integrity of the data.

Implement access controls to protect reference computers. Ensure that when an administrative user configures a registry
or file system setting by browsing to a reference computer, the
reference computer had not been compromised.

Secure the communication channel when you browse to a To prevent tampering of the data when it is transferred over
reference computer. the network, use Internet Protocol security (IPsec) or server
message block (SMB) between the computer that runs the
Configuration Manager console and the reference computer.

Restrict and monitor the administrative users who are granted Administrative users who are granted the Compliance
the Compliance Settings Manager role-based security role. Settings Manager role can deploy configuration items to all
devices and all users in the hierarchy. Configuration items can
be very powerful and can include, for example, scripts and
registry reconfiguration.

Privacy information for compliance settings

You can use compliance settings to evaluate whether your client devices are compliant with configuration items
that you deploy in configuration baselines. Some settings can be automatically remediated if they out of
compliance. Compliance information is sent to the site server by the management point and stored in the site
database. The information is encrypted when devices send it to the management point, but it is not stored in
encrypted format in the site database. Information is retained in the database until the site maintenance task
Delete Aged Configuration Management Data deletes it every 90 days. You can configure the deletion
interval. Compliance information is not sent to Microsoft.
By default, devices do not evaluate compliance settings. In addition, you must configure the configuration items and
configuration baselines, and then deploy them to devices.
 Create configuration items in Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Compliance settings in Configuration Manager let you create and deploy configurations to both devices that are
managed by Configuration Manager, and devices that are enrolled with Microsoft Intune.

Configuration items for devices managed with the Configuration

Manager client
Before you start, read Get started with compliance settings. To learn some basics about compliance settings, read
Plan for and configure compliance settings to implement any necessary prerequisites. In each scenario, you'll
create a configuration item that does a specific task.
How to create configuration items for Windows 10 devices managed with the Configuration Manager Client
How to create configuration items for Mac OS X devices managed with the Configuration Manager client
How to create custom configuration items for Windows desktop and server computers managed with the
Configuration Manager client

Configuration items for devices managed with Intune

Before you start, read Get started with compliance settings. To learn some basics about compliance settings, read
Plan for and configure compliance settings to implement any necessary prerequisites. To review information about
configuration items for devices managed with Intune, see Configuration items for devices managed with Intune.

Next steps
Get started with compliance settings
 Create configuration items for Windows 10 devices
9/4/2020 • 5 minutes to read • Edit Online

Use the Configuration Manager Windows 10 configuration item to manage settings for Windows 10 computers
that are managed by the Configuration Manager client.

IMPORTANT
In this release, if you created a Password setting as part of a configuration item of the type Windows 10 (for a device
managed with the Configuration Manager client), be aware of the following problem. If the setting doesn't already exist, or
hasn't been configured on the Windows 10 device, it will incorrectly evaluate as compliant.
As a workaround, when you create a setting for these devices, ensure that Remediate noncompliant settings is selected
on the settings pages of the Create Configuration Item wizard. In addition, when you deploy a configuration baseline
containing a Windows 10 configuration item containing password settings, select Remediate noncompliant rules when
suppor ted . You make this selection in the Deploy Configuration Baselines dialog box. By using this workaround, the setting
is monitored, and remediated if it's found to be noncompliant. After remediation, the setting is correctly reported as
Compliant (unless a problem is encountered, in which case it will report Error ).

To create a Windows 10 configuration item

1. In the Configuration Manager console, select Assets and Compliance .
2. In the Assets and Compliance workspace, expand Compliance Settings , and then select Configuration
Items .
3. On the Home tab, in the Create group, select Create Configuration Item .
4. On the General page of the Create Configuration Item wizard, specify a name and optional description
for the configuration item.
5. Under Specify the type of configuration item that you want to create , select Windows 10 .
6. If you create and assign categories to help you search and filter configuration items in the Configuration
Manager console, select Categories .
7. On the Suppor ted Platforms page of the wizard, select the specific Windows 10 platforms that will
evaluate the configuration item.
8. On the Device Settings page of the wizard, select the settings group that you want to configure. (For
details, see Windows 10 configuration item settings reference in this article.) Then select Next .

TIP
If the setting that you want isn't listed, select the Configure additional settings that are not in the default
setting groups check box.

9. On each settings page, configure the settings you require, and whether you want to remediate them when
they aren't compliant on devices (when this is supported).
10. For each settings group, you can also configure the severity reported when a configuration item is found to
be noncompliant:
None : Devices that fail this compliance rule don't report a failure severity for Configuration Manager
 reports.
Information : Devices that fail this compliance rule report a failure severity of Information for
Configuration Manager reports.
Warning : Devices that fail this compliance rule report a failure severity of Warning for
Configuration Manager reports.
Critical : Devices that fail this compliance rule report a failure severity of Critical for Configuration
Manager reports.
Critical with event : Devices that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports. This severity level is also logged as a Windows event in the
application event log.
11. On the Platform Applicability page of the wizard, review any settings that aren't compatible with the
supported platforms you selected earlier. You can go back and remove these settings, or you can continue.

TIP
Unsupported settings are not assessed for compliance.

12. Complete the wizard.

You can view the new configuration item in the Configuration Items node of the Assets and
Compliance workspace.

Windows 10 configuration item settings reference

Password
SET T IN G DETA IL S

Require password settings on devices Requires a password on supported devices.

Minimum password length (characters) The minimum length in characters for the password.

Password expiration in days The number of days before the password must be changed.

Number of passwords remembered Prevents reusing previous passwords.

Number of failed logon attempts before a device is Wipes the device if sign-in fails this number of times.
wiped

Idle time before device is locked Specifies how many minutes the device must be inactive
before it's automatically locked.

Password complexity Choose whether you can specify a PIN such as '1234', or
whether you must supply a strong password.

Number of complex character sets required in If you selected a Strong password, use this setting to
password configure the number of complex character sets required. For
a strong password, this setting should be set to at least 3 ,
which means both letters and numbers are required. Select 4
if you want to enforce a password that additionally requires
special characters, such as (%$ .
(Windows 10 only)
 SET T IN G DETA IL S

Device
SET T IN G N A M E DETA IL S

Bluetooth Allows use of the Bluetooth feature on the device.

Cloud
SET T IN G N A M E DETA IL S

Settings synchronization Allows synchronization of settings between devices.

Credentials synchronization Allows synchronization of credentials between devices.

Settings synchronization over metered connections Allows settings to be synchronized when the internet
connection is metered.

Roaming
SET T IN G N A M E DETA IL S

Data roaming Allows roaming between networks when accessing data.

Encryption
SET T IN G N A M E DETA IL S

File encr yption on device Requires that files on the device are encrypted.

System security
SET T IN G N A M E DETA IL S

User Account Control Configures how Windows User Account Control works on the
device.
For example, you can disable it, or set the level at which it
notifies you.

Network firewall Enables or disables Windows Firewall.

Smar tScreen Enables or disables Windows SmartScreen.

Virus protection Requires that antivirus software must be installed and

configured.
 SET T IN G N A M E DETA IL S

Virus protection signatures are up to date Requires that the signature files for the antivirus software on
the device must be up to date.

Windows Information Protection

With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data
leaks through apps and services, like email, social media, and the public cloud. These are outside of the
organization's control. Examples include when an employee:
Sends the latest engineering pictures from their personal email account.
Copies and pastes product info into a tweet.
Saves an in-progress sales report to their public cloud storage.
Windows Information Protection (WIP, formerly enterprise data protection) helps to protect against this potential
data leakage, without otherwise interfering with the employee experience. WIP also helps to protect enterprise
apps and data against accidental data leaks on enterprise-owned devices and personal devices that employees
bring to work. WIP doesn't require changes to your environment or other apps.
Configuration Manager Windows Information Protection configuration items manage the following:
The list of apps protected by WIP
Enterprise network locations
Protection level
Encryption settings
For information about how to configure WIP with Configuration Manager, see:
Protect your enterprise data using Windows Information Protection (WIP)
Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager
Limitations while using Windows Information Protection (WIP)

See also
Configuration items for devices managed with the Configuration Manager client
 Create configuration items for Mac OS X devices
9/4/2020 • 6 minutes to read • Edit Online

Use the Configuration Manager Mac OS X (custom) configuration item to manage settings for Mac OS X devices
that are managed by the Configuration Manager client.
The Mac OS X operating system uses property list (.plist) files to store application settings. Use compliance settings
to evaluate and remediate settings in a property list file. You can also manage Mac OS X settings by writing a shell
script that returns a value that you can evaluate and remediate for compliance.

Create a custom Mac OS X configuration item

1. In the Configuration Manager console, select Assets and compliance .
2. In the Assets and Compliance workspace, expand Compliance Settings , and then select
Configuration Items .
3. On the Home tab, in the Create group, select Create Configuration Item .
4. On the General page of the Create Configuration Item wizard, specify a name and optional description
for the configuration item.
5. Under Specify the type of configuration item that you want to create , select Mac OS X (custom) .
6. If you create and assign categories to help you search and filter configuration items in the Configuration
Manager console, select Categories .
7. On the Suppor ted Platforms page of the wizard, select the specific Mac OS X versions that will evaluate
the configuration item.
8. On the Settings page of the wizard, add new settings that are evaluated for compliance on Mac computers.
Select New to open the Create Setting dialog box.
9. In the Create Setting dialog box, enter a unique name and a description for the setting.
10. Choose the Setting type you want, and then supply the required information:
Mac OS X Preferences
Application ID : Specify the application ID of the property list file from which you want to
evaluate a key for compliance.
For example, if you want to edit settings for the Safari Web browser, you might use
com.apple.Safari.plist .
Key : Specify the name of the key that you want to evaluate for compliance on Mac computers.
Use the following syntax: /<dictionary>/<keyname>.

IMPORTANT
The key name is case sensitive, and won't be evaluated if it differs from the key name on the Mac
computer. Additionally, you can't edit the key name after you have specified it. If you need to edit the
key name, delete and then re-create the setting.

Script
 Discover y Script : Select Add Script , and then enter a shell script to assess settings on the
Mac computer for compliance. Use the echo command in the shell script to return values to
Configuration Manager for compliance. Configuration Manager uses the results returned in
STDOUT to evaluate compliance.

IMPORTANT
Don't include the reboot command in the discovery script. Because the discovery script runs each
time the client restarts, this causes the Mac computer to continually restart.

Remediation script (optional) : Optionally, select Add Script , and then enter a shell script
that is used to remediate any noncompliant settings found on Mac client computers.

IMPORTANT
To ensure that you don't introduce formatting characters that the Mac computer can't interpret, don't
use copy and paste. Instead, type in the script.

11. Choose the Data type , which is the format in which the condition returns the data before it's used to
evaluate the setting.

NOTE
The Floating point data type supports only 3 digits after the decimal point.
Configuration Manager doesn't support using the Boolean data type for Mac configuration item script settings.
Instead, set the data type to Integer , and ensure that the script returns an integer value.

12. Select OK to save the setting and close the Create Setting dialog box. Then continue to add as many
settings as you require.
13. On the Compliance Rules page of the wizard, specify the conditions that define the compliance of a
configuration item. Before a setting can be evaluated to compliance, it must have at least one compliance
rule. Select New to add a new rule.
14. In the Create Rule dialog box, provide the following information:
Name : Enter a name for the compliance rule.
Description : Enter a description for the compliance rule.
Selected setting : Select Browse to open the Select Setting dialog box. Select the setting that you
want to define a rule for, or select New Setting . When you are finished, choose Select .

TIP
You can also select Proper ties to view information about the currently selected setting.

Rule type : Select the type of compliance rule that you want to use:
Value : Create a rule that compares the value returned by the configuration item against a
value that you specify.
Existential : Create a rule that evaluates the setting depending on whether it exists on a
device.
For a rule type of Value , specify the following information:
The setting must comply with the following rule : Select an operator and a value that is
assessed for compliance with the selected setting. You can use the following operators:
Equals
Not equal to
Greater than
Less than
Between
Greater than or equal to
Less than or equal to
One of : In the text box, specify one entry on each line.
None of : In the text box, specify one entry on each line.
Remediate noncompliant rules when suppor ted : Select this option if you want
Configuration Manager to automatically remediate noncompliant rules.

IMPORTANT
You can only remediate noncompliant rules when the rule operator is set to Equals .

Repor t noncompliance if this setting instance is not found : The configuration item
reports noncompliance if this setting isn't found on the Mac computer.
Noncompliance severity for repor ts : Specify the severity level reported if this compliance
rule fails. The available severity levels are:
None : Computers that fail this compliance rule don't report a failure severity for
Configuration Manager reports.
Information : Computers that fail this compliance rule report a failure severity of
Information for Configuration Manager reports.
Warning : Computers that fail this compliance rule report a failure severity of Warning
for Configuration Manager reports.
Critical : Computers that fail this compliance rule report a failure severity of Critical
for Configuration Manager reports.
Critical with event : Computers that fail this compliance rule report a failure severity
of Critical for Configuration Manager reports. The Mac client computer also logs this
severity level.
For a rule type of Existential , specify the following information:
Choose either:
The setting must exist on client devices
The setting must not exist on client devices
Noncompliance severity for repor ts : Specify the severity level that is reported if this
 compliance rule fails. The available severity levels are:
None : Computers that fail this compliance rule don't report a failure severity for
Configuration Manager reports.
Information : Computers that fail this compliance rule report a failure severity of
Information for Configuration Manager reports.
Warning : Computers that fail this compliance rule report a failure severity of Warning
for Configuration Manager reports.
Critical : Computers that fail this compliance rule report a failure severity of Critical
for Configuration Manager reports.
Critical with event : Computers that fail this compliance rule report a failure severity
of Critical for Configuration Manager reports. The Mac client computer also logs this
severity level.

NOTE
The options shown might vary, depending on the setting type you are configuring a rule for.

15. Select OK to close the Create Rule dialog box.

16. On the Summar y page, confirm the settings for the new configuration item. Then, complete the wizard.
See the new configuration item in the Configuration Items node of the Assets and Compliance workspace.
If you now want to add this configuration item to a configuration baseline, see How to create configuration
baselines.

Next steps
Configuration items for devices managed with the Configuration Manager client
 Create custom configuration items for Windows
desktop and server computers managed with the
Configuration Manager client
9/4/2020 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the Configuration Manager custom Windows Desktops and Ser vers configuration item to manage
settings for Windows computers and servers that are managed by the Configuration Manager client.

Start the wizard

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Compliance
Settings , and select the Configuration Items node.
2. On the Home tab of the ribbon, in the Create group, select Create Configuration Item .
3. On the General page of the Create Configuration Item Wizard , specify a name, and optional
description for the configuration item.
4. Under Specify the type of configuration item that you want to create , select Windows Desktops
and Ser vers (custom) .

TIP
If you want to supply detection method settings that check for the existence of an application, select This
configuration file contains application settings .

5. To help you search and filter configuration items in the Configuration Manager console, select Categories
to create and assign categories.

Detection methods
Use this procedure to provide detection method information for the configuration item.

NOTE
This information only applies if you select This configuration item contains application settings on the General page
of the wizard.

A detection method in Configuration Manager contains rules that are used to detect whether an application is
installed on a computer. This detection occurs before the client assesses its compliance for the configuration item.
To detect whether an application is installed, you can detect the presence of a Windows Installer file for the
application, use a custom script, or select Always assume application is installed to assess the configuration
item for compliance regardless of whether the application is installed.
To detect an application installation by using the Windows Installer file
1. On the Detection Methods page of the Create Configuration Item Wizard , select the option to Use
Windows Installer detection .
2. Select Open , browse to the Windows Installer (.msi) file that you want to detect, and then select Open .
3. The Version field automatically populates with the version number of the Windows Installer file. If the
displayed value is incorrect, enter a new version number here.
4. If you want to detect each user profile on the computer, select This application is installed for one or
more users .
To detect a specific application and deployment type
1. On the Detection Methods page of the Create Configuration Item Wizard , select to Detect a specific
application and deployment type . Choose Select .
2. In the Specify Application dialog box, select the application and an associated deployment type that you
want to detect.
To detect an application installation by using a custom script
1. On the Detection Methods page of the Create Configuration Item Wizard , select the option to Use a
custom script to detect this application .
2. In the list, select the language of the script. Choose from the following formats:
VBScript
JScript
PowerShell

NOTE
Starting in version 1810, when a Windows PowerShell script runs as a detection method, the Configuration
Manager client calls PowerShell with the -NoProfile parameter. This option starts PowerShell without
profiles. A PowerShell profile is a script that runs when PowerShell starts.

3. Select Open , browse to the script that you want to use, and then select Open .

Specify supported platforms

On the Suppor ted Platforms page of the Create Configuration Item Wizard , select the Windows versions on
which you want the configuration item to be assessed for compliance, or choose Select all .
You can also Specify the version of Windows manually . Select Add and specify each part of the Windows
build number.

NOTE
When specifying Windows Server 2016, the selection for All Windows Server 2016 and higher 64-bit) also includes
Windows Server 2019. To specify Windows Server 2016 only, use the option to Specify the version of Windows
manually .

Configure settings
Use this procedure to configure the settings in the configuration item.
Settings represent the business or technical conditions that are used to assess compliance on client devices. You
can configure a new setting or browse to an existing setting on a reference computer.
1. On the Settings page of the Create Configuration Item Wizard , select New .
2. On the General tab of the Create Setting dialog box, provide the following information:
Name : Enter a unique name for the setting. You can use a maximum of 256 characters.
Description : Enter a description for the setting. You can use a maximum of 256 characters.
Setting type : In the list, choose and configure one of the following setting types to use for this
setting:
Active Directory query
Assembly
File system
IIS metabase
Registry key
Registry value
Script
SQL query
WQL query
XPath query
Data type : Choose the format in which the condition returns the data before it's used to assess the
setting. The Data type list isn't displayed for all setting types.

TIP
The Floating point data type supports only three digits after the decimal point.

3. Configure additional details about this setting under the Setting type list. The items you can configure vary
depending on the setting type you've selected.
4. Select OK to save the setting and close the Create Setting dialog box.
Active Directory query
LDAP prefix : Specify a valid prefix to the Active Directory Domain Services query to assess compliance on
client computers. To do a global catalog search, use either LDAP:// or GC:// .
Distinguished Name (DN) : Specify the distinguished name of the Active Directory Domain Services
object that is assessed for compliance on client computers.
Search filter : Specify an optional LDAP filter to refine the results from the Active Directory Domain
Services query to assess compliance on client computers. To return all results from the query, enter
(objectclass=*) .

Search scope : Specify the search scope in Active Directory Domain Services
Base : Queries only the specified object
One Level : This option isn't used in this version of Configuration Manager
Subtree : Queries the specified object and its complete subtree in the directory
Proper ty : Specify the property of the Active Directory Domain Services object that's used to assess
compliance on client computers.
For example, if you want to query the Active Directory property that stores the number of times a user
incorrectly enters a password, enter badPwdCount in this field.
Quer y : Displays the query constructed from the entries in LDAP prefix , Distinguished name (DN) ,
 Search Filter (if specified), and Proper ty .
Assembly
An assembly is a piece of code that can be shared between applications. Assemblies can have the file name
extension .dll or .exe. The global assembly cache is the folder %SystemRoot%\Assembly on client computers. This
cache is where Windows stores all shared assemblies.
Assembly name: Specifies the name of the assembly object that you want to search for. The name can't be the
same as other assembly objects of the same type. First register it in the global assembly cache. The assembly
name can be up to 256 characters long.
File system
Type : In the list, select whether you want to search for a File or a Folder .
Path : Specify the path of the specified file or folder on client computers. You can specify system
environment variables and the %USERPROFILE% environment variable in the path.

NOTE
If you use the %USERPROFILE% environment variable in the Path or File or folder name boxes, the Configuration
Manager client searches all user profiles on the client computer. This behavior could result in it finding multiple
instances of the file or folder.
If compliance settings don't have access to the specified path, a discovery error is generated. Additionally, if the file
you are searching for is currently in use, a discovery error is generated.

TIP
Select Browse to configure the setting from values on a reference computer.

File or folder name : Specify the name of the file or folder object to search for. You can specify system
environment variables and the %USERPROFILE% environment variable in the file or folder name. You can also
use the wildcards * and ? in the file name.

NOTE
If you specify a file or folder name and use wildcards, this combination might produce a high number of results. It
could also result in high resource use on the client computer, and high network traffic when reporting results to
Configuration Manager.

Include subfolders : Also search any subfolders under the specified path.
This file or folder is associated with a 64-bit application : If enabled, only search 64-bit file locations
such as %ProgramFiles% on 64-bit computers. If this option isn't enabled, search both 64-bit locations and
32-bit locations such as %ProgramFiles(x86)% .

NOTE
If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit computer,
multiple files are discovered by the global condition.

The File system setting type doesn't support specifying a UNC path to a network share in the Path box.
IIS metabase
 Metabase path : Specify a valid path to the Internet Information Services (IIS) metabase. For example,
/LM/W3SVC/ .

Proper ty ID : Specify the numeric property of the IIS metabase setting.

Registry key
Hive : Select the registry hive that you want to search

TIP
Select Browse to configure the setting from values on a reference computer. To browse to a registry key on a remote
computer, enable the Remote Registr y service on the remote computer.

Key : Specify the registry key name that you want to search for. Use the format key\subkey .
This registr y key is associated with a 64-bit application : Search 64-bit registry keys in addition to
the 32-bit registry keys on clients that are running a 64-bit version of Windows.

NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both
registry keys are discovered by the global condition.

Registry value
Hive : Select the registry hive to search.

TIP
Select Browse to configure the setting from values on a reference computer. To browse to a registry value on a
remote computer, enable the Remote Registr y service on the remote computer. You also need administrator
permissions to access the remote computer.

Key : Specify the registry key name to search for. Use the format key\subkey .
Value : Specify the value that must be contained within the specified registry key.
This registr y key is associated with a 64-bit application : Search the 64-bit registry keys in addition
to the 32-bit registry keys on clients that are running a 64-bit version of Windows.

NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both
registry keys are discovered by the global condition.

Script
The value returned by the script is used to assess the compliance of the global condition. For example, when using
VBScript, you could use the command WScript.Echo Result to return the Result variable value to the global
condition.
Discover y script : Select Add Script , and enter or browse to a script. This script is used to find the value.
You can use Windows PowerShell, VBScript, or Microsoft JScript scripts.
Remediation script (optional) : Select Add Script , and enter or browse to a script. This script is used to
remediate non-compliant setting values. You can use Windows PowerShell, VBScript, or Microsoft JScript
 scripts.
Run scripts by using the logged on user credentials : If you enable this option, the script runs on client
computers that use the credentials of the signed-in user.

NOTE
Starting in version 1810, when you use Windows PowerShell as a discovery or remediation script, the Configuration Manager
client calls PowerShell with the -NoProfile parameter. This option starts PowerShell without profiles. A PowerShell profile is
a script that runs when PowerShell starts.

SQL query
SQL Ser ver instance : Choose whether you want the SQL query to run on the default instance, all
instances, or a specified database instance name.

NOTE
The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server instance, you
should use a script setting.

Database : Specify the name of the Microsoft SQL Server database against which you want to run the SQL
query.
Column : Specify the column name returned by the Transact-SQL statement that's used to assess the
compliance of the global condition.
Transact-SQL statement : Specify the full SQL query you want to use for the global condition. To use an
existing SQL query, select Open .

IMPORTANT
SQL Query settings don't support any SQL commands that modify the database. You can only use SQL commands
that read information from the database.

WQL query
Namespace : Specify the WMI namespace that's assessed for compliance on client computers. The default
value is root\cimv2 .
Class : Specify the target WMI class in the above namespace.
Proper ty : Specify the target WMI property in the above class.
WQL quer y WHERE clause : Specify a qualifying clause to reduce the results. For example, to only query
the DHCP service in the Win32_Service class, the WHERE clause could be
Name = 'DHCP' and StartMode = 'Auto' .

XPath query
Path : Specify the path of the .xml file on client computers that is used to assess compliance. Configuration
Manager supports the use of all Windows system environment variables and the %USERPROFILE% user
variable in the path name.
XML file name : Specify the file name containing the XML query in the above path.
Include subfolders : Enable this option to search any subfolders under the specified path.
This file is associated with a 64-bit application : Search the 64-bit system file location
 %Windir%\System32 in addition to the 32-bit system file location %Windir%\Syswow64 on Configuration
Manager clients that are running a 64-bit version of Windows.
XPath quer y : Specify a valid full XML path language (XPath) query.
Namespaces : Identify namespaces and prefixes to be used during the XPath query.
If you attempt to discover an encrypted .xml file, compliance settings find the file, but the XPath query produces no
results. The Configuration Manager client doesn't generate an error.
If the XPath query isn't valid, the setting is evaluated as noncompliant on client computers.

Configure compliance rules

Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be
evaluated for compliance, it must have at least one compliance rule. WMI, registry, and script settings let you
remediate values that are found to be noncompliant. You can create new rules or browse to an existing setting in
any configuration item to select rules in it.
To create a compliance rule
1. On the Compliance Rules page of the Create Configuration Item Wizard , select New .
2. In the Create Rule dialog box, provide the following information:
Name : Enter a name for the compliance rule.
Description : Enter a description for the compliance rule.
Selected setting : Select Browse to open the Select Setting dialog box. Select the setting that you
want to define a rule for, or select New Setting . When you're finished, choose Select .

TIP
To view information about the currently selected setting, select Proper ties .

Rule type : Select the type of compliance rule that you want to use:
Value : Create a rule that compares the value returned by the configuration item against a
value that you specify. For more information on the additional settings, see Value rules.
Existential : Create a rule that evaluates the setting depending on whether it exists on a client
device or on the number of times it's found. For more information on the additional settings,
see Existential rules.
3. Select OK to close the Create Rule dialog box.
Value rules
Proper ty : The property of the object to check varies depending upon the selected setting. The available
properties vary based on the type of setting.
The setting must comply with the following...: The available rules or permissions vary based on the
type of setting.
Remediate noncompliant rules when suppor ted : Select this option for Configuration Manager to
automatically remediate non-compliant rules. Configuration Manager supports this action with the
following rule types:
Registr y value : If it's noncompliant, the client sets the registry value. If it doesn't exist, the client
 creates the value.
Script : The client uses the remediation script that you specified with the setting.
WQL quer y

IMPORTANT
You can only remediate noncompliant rules when the rule operator is set to Equals .

Repor t noncompliance if this setting instance is not found : If this setting isn't found on client
computers, enable this option for the configuration item to report noncompliance.
Noncompliance severity for repor ts : Specify the severity level that's reported in Configuration Manager
reports if this compliance rule fails. The following severity levels are available:
None
Information
Warning
Critical
Critical with event : Computers that fail this compliance rule report a failure severity of Critical . This
severity level is also logged as a Windows event in the application event log.
Existential rules

NOTE
The options shown might vary depending on the setting type you're configuring a rule for.

The setting must exist on client devices

The setting must not exist on client devices
The setting occurs the following number of times:
Noncompliance severity for repor ts : Specify the severity level that's reported in Configuration Manager
reports if this compliance rule fails. The following severity levels are available:
None
Information
Warning
Critical
Critical with event : Computers that fail this compliance rule report a failure severity of Critical . This
severity level is also logged as a Windows event in the application event log.

Track configuration item remediations

(Introduced in version 2002)
Starting in Configuration Manager version 2002, you can Track remediation histor y when suppor ted on your
configuration item compliance rules. When this option is enabled, any remediation that occurs on the client for the
configuration item generates a state message. The history is stored in the Configuration Manager database.
Build custom reports to view the remediation history by using the public view v_CIRemediationHistor y . The
RemediationDate column is the time, in UTC, the client ran the remediation. The ResourceID identifies the device.
Building custom reports with the v_CIRemediationHistor y view helps you:
 Identify possible issues with your remediation scripts
Find trends in remediations such as a client that is consistently non-compliant each evaluation cycle.
Enable the Track remediation history when supported option
For new configuration items, add the Track remediation histor y when suppor ted option in the
Compliance Rules tab when you create a new setting on the wizard's Settings page.
For existing configuration items, add the Track remediation histor y when suppor ted option on the
Compliance Rules tab in the configuration item Proper ties .

Next steps
Create configuration baselines
 How to create child configuration items in
Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Child configuration items in Configuration Manager are copies of configuration items that retain a relationship to
the original configuration item in that they inherit the original configuration from the parent configuration item.
When you view the properties of a child configuration item in the Configuration Manager console, you cannot edit
the inherited objects and settings with their validation criteria. However, you can add and then edit additional
validation criteria to the child configuration item, and you can also add new objects and settings to the child
configuration item. An example for creating and editing a child configuration item is to refine the original
configuration item to meet your business requirements.

NOTE
You can only create child configuration items from configuration items of the type Windows Desktops and Ser vers
(custom) .

To create a child configuration item

1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings >
Configuration Items .
2. In the Configuration Items list, select the configuration item for which you want to create a child
configuration item, and then in the Home tab, in the Configuration Item group, click Create Child
Configuration Item .
3. On the General page of the Create Child Configuration Item Wizard , you can choose a specific revision
of the parent configuration item to use to create the child. Other steps in this wizard are identical to those
you would use to create a standard configuration item. For more information, see How to create custom
configuration items for Windows desktop and server computers.
4. Complete the wizard. The new child configuration item displays in the Configuration Items list.
 Create configuration baselines in Configuration
Manager
9/4/2020 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration baselines in Configuration Manager contain predefined configuration items and optionally, other
configuration baselines. After a configuration baseline is created, you can deploy it to a collection so that devices in
that collection download the configuration baseline and assess their compliance with it.

TIP
There's no way to specify the order that the Configuration Manager client evaluates the configuration items in a baseline. It's
non-deterministic.

Configuration baselines
Configuration baselines in Configuration Manager can contain specific revisions of configuration items or can be
configured to always use the latest version of a configuration item. For more information about configuration item
revisions, see Management tasks for configuration data.
There are two methods that you can use to create configuration baselines:
Import configuration data from a file. To start the Impor t Configuration Data Wizard , in the
Configuration Items or Configuration Baselines node in the Assets and Compliance workspace,
click Impor t Configuration Data . For more information, see Import configuration data.
Use the Create Configuration Baseline dialog box to create a new configuration baseline.

Create a configuration baseline

To create a configuration baseline by using the Create Configuration Baseline dialog box, use the following
procedure:
1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings >
Configuration Baselines .
2. On the Home tab, in the Create group, click Create Configuration Baseline .
3. In the Create Configuration Baseline dialog box, enter a unique name and a description for the
configuration baseline. You can use a maximum of 255 characters for the name and 512 characters for the
description.
4. The Configuration data list displays all configuration items or configuration baselines that are included in
this configuration baseline. Click Add to add a new configuration item or configuration baseline to the list.
You can choose from the following items:
Configuration Items
Software Updates
Configuration Baselines
 IMPORTANT
You must limit each configuration baseline to no more than 1000 software updates.

5. Use the Change Purpose list to specify the behavior of a configuration item that you've selected in the
Configuration data list. You can select from the following items:
Required : The configuration baseline is evaluated as noncompliant if the configuration item isn't
detected on a client device. If it's detected, it's evaluated for compliance
Optional : The configuration item is only evaluated for compliance if the application it references is
found on client computers. If the application is not found, the configuration baseline isn't marked as
noncompliant (only applicable to application configuration items).
Prohibited : The configuration baseline is evaluated as noncompliant if the configuration item is
detected on client computers (only applicable to application configuration items).

NOTE
The Change Purpose list is available only if you clicked the option This configuration item contains
application settings on the General page of the Create Configuration Item Wizard .

6. Use the Change Revision list to select a specific or the latest revision of the configuration item to assess
for compliance on client devices or select Always Use Latest to always use the latest revision. For more
information about configuration item revisions, see Management tasks for configuration data.
7. To remove a configuration item from the configuration baseline, select a configuration item, and then click
Remove .
8. Starting in version 1806, select if you want to Always apply this baseline for co-managed clients .
When checked, this baseline will apply even on clients that are managed by Intune. This exception might be
used to configure settings that are required by your organization but not yet available in Intune.
9. Optionally, click on Categories to assign categories to the baseline for searching and filtering.
10. Click OK to close the Create Configuration Baseline dialog box and to create the configuration baseline.

NOTE
Modifying an existing baseline, such as setting Always apply this baseline for co-managed clients , will increment the
baseline content version. Clients will need to evaluate the new version to update the baseline reporting.

Include custom configuration baselines as part of compliance policy

assessment
(Introduced in version 1910)
Starting in version 1910, you can add evaluation of custom configuration baselines as a compliance policy
assessment rule. When you create or edit a configuration baseline, you have an option to Evaluate this baseline
as par t of compliance policy assessment . When adding or editing a compliance policy rule, you have a
condition called Include configured baselines in compliance policy assessment . For co-managed devices,
and when you configure Intune to take Configuration Manager compliance assessment results as part of the
overall compliance status, this information is sent to Azure AD. You can then use it for conditional access to your
Microsoft 365 Apps resources. For more information, see Conditional access with co-management.
To include custom configuration baselines as part of compliance policy assessment, do the following:
Create and deploy a compliance policy to a user collection with a rule to Include configured baselines in
compliance policy assessment .
Select Evaluate this baseline as par t of compliance policy assessment in a configuration baseline
deployed to a device collection.

IMPORTANT
When targeting devices that are co-managed, ensure you meet the co-management prerequisites.

Example evaluation scenario

When a user is part of a collection targeted with a compliance policy that includes the rule condition Include
configured baselines in compliance policy assessment , any baselines with the Evaluate this baseline as
par t of compliance policy assessment option selected that are deployed to the user or the user's device are
evaluated for compliance. For example:
User1 is part of User Collection 1 .
User1 uses Device1 , which is in Device Collection 1 and Device Collection 2 .
Compliance Policy 1 has the Include configured baselines in compliance policy assessment rule
condition and is deployed to User Collection 1 .
Configuration Baseline 1 has Evaluate this baseline as par t of compliance policy assessment selected
and is deployed to Device Collection 1 .
Configuration Baseline 2 has Evaluate this baseline as par t of compliance policy assessment selected
and is deployed to Device Collection 2 .

In this scenario, when Compliance Policy 1 evaluates for User1 using Device1 , both Configuration Baseline 1
and Configuration Baseline 2 are evaluated too.
User1 sometimes uses Device2 .
Device2 is a member of Device Collection 2 and Device Collection 3 .
Device Collection 3 has Configuration Baseline 3 deployed to it, but Evaluate this baseline as par t of
compliance policy assessment isn't selected.
When User1 uses Device2 , only Configuration Baseline 2 gets evaluated when Compliance Policy 1 evaluates.

NOTE
If the compliance policy evaluates a new baseline that has never been evaluated on the client before, it may report non-
compliance. This occurs if the baseline evaluation is still running when the compliance is evaluated. To workaround this issue,
click Check compliance in the Software Center .

Create and deploy a compliance policy with a rule for baseline compliance policy assessment
1. In the Assets and Compliance workspace, expand Compliance Settings , then select the Compliance
Polices node.
2. Click Create Compliance Policy in the ribbon to bring up the Create Compliance Policy Wizard .
3. On the General page, select Compliance rules for devices managed with the Configuration
Manager client .
Devices must be managed with the Configuration Manager client to include custom configuration
baselines as part of compliance policy assessment.
 4. Select your platforms on the Suppor ted Platforms pages.
5. On the Rules page, select New , then select the Include configured baselines in compliance policy
assessment condition.

6. Click OK , then Next to get to the Summar y page.

7. Verify your selections and click Next then Close .
8. In the Compliance Polices node, right-click on the policy you created, and select Deploy .
9. Choose your collection, alert generation settings, and your compliance evaluation schedule for the policy.
10. Click OK to deploy the compliance policy.
Select a configuration baseline and check "Evaluate this baseline as part of compliance policy assessment"
1. In the Assets and Compliance workspace, expand Compliance Settings , then select the Configuration
Baselines node.
2. Right-click on an existing baseline that's deployed to a device collection, then select Proper ties . If needed,
you can create a new baseline.
The baseline must be deployed to a device collection, not a user collection.
3. Enable the Evaluate this baseline as par t of compliance policy assessment setting.
For co-managed devices that have Intune as the Device configuration authority, ensure Always
apply this baseline even for co-managed clients is also selected.
4. Click OK to save the changes to your configuration baseline.
Log files for custom configuration baselines as part of compliance policy assessment
ComplianceHandler.log
SettingsAgent.log
DCMAgent.log
CIAgent.log

Next steps
Import configuration data
 How to deploy configuration baselines in
Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration baselines in Configuration Manager must be deployed to one or more collections of users or devices
before client devices in those collections can assess their compliance with the configuration baseline.
Use the Deploy Configuration Baselines dialog box to define configuration baseline deployments, which
includes adding or removing configuration baselines from deployments in addition to specifying the evaluation
schedule.

Deploy a configuration baseline

1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings >
Configuration Baselines .
2. In the Configuration Baselines list, select the configuration baseline that you want to deploy, and then in
the Home tab, in the Deployment group, click Deploy .
3. In the Deploy Configuration Baselines dialog box, select the configuration baselines that you want to
deploy in the Available configuration baselines list. Click Add to add these to the Selected
configuration baselines list.

IMPORTANT
If you change a configuration item that has been added to a deployed configuration baseline, the revised
configuration item is not evaluated for compliance until its next scheduled evaluation time.

4. Specify the following additional information:

Remediate noncompliant rules when suppor ted – Automatically remediates any rules that are
noncompliant for Windows Management Instrumentation (WMI), the registry, scripts, and all settings
for mobile devices that are enrolled by Configuration Manager.
Allow remediation outside the maintenance window – If a maintenance window has been
configured for the collection to which you are deploying the configuration baseline, enable this
option to let compliance settings remediate the value outside of the maintenance window. For more
information about maintenance windows, see How to use maintenance windows.
5. Generate an aler t – Configures an alert that is generated if the configuration baseline compliance is less
than a specified percentage by a specified date and time. You can also specify whether you want an alert to
be sent to System Center Operations Manager.
6. Collection - Click Browse to select the collection where you want to deploy the configuration baseline.
7. Specify the compliance evaluation schedule for this configuration baseline Specifies the schedule
by which the deployed configuration baseline is evaluated on client computers. This can be either a simple
or a custom schedule.
 NOTE
If the configuration baseline is deployed to a computer, it is evaluated for compliance within two hours of the start
time that you schedule. If it is deployed to a user, it is evaluated for compliance when the user logs on.

8. Click OK to close the Deploy Configuration Baselines dialog box and to create the deployment. For
more information about how to monitor the deployment, see Monitor compliance settings.
 Manage configuration data in Configuration
Manager
9/4/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you have created configuration items and configuration baselines in Configuration Manager, further
commands are available to help you perform various actions.

Manage configuration items

In the Assets and Compliance workspace, expand Compliance Settings > Configuration Items , select
the configuration item to manage, and then select a management task.

M A N A GEM EN T TA SK DETA IL S

Create Child Configuration Item Opens the Create Child Configuration Item Wizard
where you can create a child configuration item from the
selected configuration item.

You cannot create a child configuration item from a mobile

device configuration item.

For details, see Create child configuration items.

Revision Histor y Opens the Configuration Item Revision Histor y dialog

box where you can view and manage previous revisions of the
selected configuration item.

View XML Definition Displays the XML definition file for the selected configuration
item in a new window. This information can be useful when
you want to author configuration data manually.

Expor t Exports a configuration item in a cabinet (.cab) file format,

providing that it was created at that site. You can then import
it to the same or a different Configuration Manager site.
Configuration data is converted to DCM Digest.

Copy Creates a copy of the selected configuration item with a name

you specify. The new configuration item does not retain any
relationship to the original configuration item. This means that
the duplicate configuration item does not continue to inherit
configuration information from the original configuration item.

Delete Opens the Delete Configuration Item dialog box where

you can review any references to this configuration item.

You must remove all references to a configuration item before

you can delete the configuration item.

Manage configuration baselines

In the Assets and Compliance workspace, expand Compliance Settings > Configuration Baselines ,
 select the configuration baseline to manage, and then select a management task.

M A N A GEM EN T TA SK DETA IL S

Show Members Displays all of the configuration items that are referenced by
the configuration baseline.

Schedule Summarization Configures the schedule by which the data shown in the
Configuration Baselines node in the Configuration
Manager console is updated with the latest information from
the site database.

Run Summarization Summarization causes the data in the Configuration

Baselines node to be refreshed with the latest data from the
site database. This action might take several minutes to
complete. You might have to click Refresh before you can see
the latest data in the console.

View XML Definition Displays the XML definition file for the selected configuration
baseline in a new window. This information can be useful when
you want to author configuration data manually.

Enable Enables a configuration baseline for compliance monitoring.

Disable Disables a configuration baseline so it is no longer evaluated

for compliance on client computers. Configuration baselines
that reference this configuration baseline will also be disabled.

Expor t Exports a configuration baseline in a cabinet (.cab) file format,

providing that it was created at that site. You can then import
it to the same or a different Configuration Manager site.
Configuration data is converted to DCM Digest.

For information about how to import configuration data, see

Import configuration data.

Copy Creates a copy of the selected configuration baseline with a

name that you specify. The new configuration baseline does
not retain any relationship to the original configuration
baseline.

Delete Opens the Delete Configuration Baseline dialog box

where you can review any references to this configuration
baseline.

You must remove all references to a configuration baseline

before you can delete the configuration baseline.

Deploy Opens the Deploy Configuration Baseline dialog box

where you can deploy one or more configuration baselines to
devices in your hierarchy.

For details, see Deploy configuration baselines.

 Import configuration data with Configuration
Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In addition to creating configuration baselines and configuration items in the Configuration Manager console, you
can import configuration data if it is contained in a cabinet (.cab) file format and adheres to the supported Service
Modeling Language (SML) schema. You can import configuration data from:
Best practice configuration data (Configuration Packs) that has been downloaded from Microsoft or from
other software vendor sites.
Configuration data that has been exported from System Center 2012 Configuration Manager and later.
Configuration data that was externally authored and that conforms to the SML schema.
When you import a configuration baseline, some or all of the configuration items that are referenced in the
configuration baseline might also be included in the cabinet file. During the import process, Configuration
Manager verifies that all of the configuration items that are referenced in the configuration baseline are either also
included in the cabinet file or already exist in the Configuration Manager site. The import process fails if you
attempt to import a configuration baseline that references configuration data that Configuration Manager cannot
locate.
Other scenarios where the import process might fail include the following:
The configuration data references configuration data that Configuration Manager cannot locate, either in its
database or in the cabinet file itself.
The configuration data is already present in the Configuration Manager database with the same name and
configuration data version, but the content version differs.
The configuration data is already present in the Configuration Manager database with the same content
version, but the hash calculation identifies it as being different.
A newer version of the configuration data with same name is already present or has recently been deleted
in the Configuration Manager database.
In a multi-site Configuration Manager hierarchy, the configuration data was originally imported from a
parent site. You must update it from the same site and not a child site.
Import configuration data
1. In the Configuration Manager console, click Assets and Compliance > Configuration Items or
Configuration Baselines
2. In the Home tab, in the Create group, click Impor t Configuration Data .
3. On the Select Files page of the Impor t Configuration Data Wizard , click Add , and then in the Open
dialog box, select the .cab files you want to import.
4. Select the Create a new copy of the impor ted configuration baselines and configuration items check
box if you want the imported configuration data to be editable in the Configuration Manager console.
5. On the Summar y page, review the actions that will be taken, and then complete the wizard.
The imported configuration data displays in the Compliance Settings node of the Assets and Compliance
workspace.
 Create user data and profiles configuration items in
Configuration Manager
9/4/2020 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

User data and profiles configuration items in Configuration Manager contain settings that can manage folder
redirection, offline files and roaming profiles on computers that run Windows 8 and later for users in your
hierarchy. For example, you can:
Redirect a user's Documents folder to a network share.
Ensure that specified files stored on the network are available on a user's computer when the network
connection is unavailable.
Configure which files in a user's roaming profile are synchronized with a network share when the user logs
on and off.
Unlike other configuration items in Configuration Manager, you do not add user data and profile
configuration items to a configuration baseline which you then deploy. Instead, you deploy the
configuration item directly by using the Deploy User Data and Profiles Configuration Item dialog box.

IMPORTANT
You can only deploy user data and profiles configuration items to user collections.

Enable user data and profiles for compliance settings

Use the following procedure to configure the default client setting for user data and profiles compliance settings
which will apply to all computers in your hierarchy. If you want this setting to apply to only some computers, create
a custom device client setting and assign it to a collection that contains the computers for which you want to use
user data and profiles compliance settings. For more information about how to create custom device settings, see
How to configure client settings.
1. In the Configuration Manager console, click Administration > Client Settings > Default Settings .
2. On the Home tab, in the Proper ties group, click Proper ties .
3. In the Default Settings dialog box, click Compliance Settings .
4. From the Enable User Data and Profiles drop-down list, select Yes .
5. Click OK to close the Default Settings dialog box.

Create a user data and profiles configuration item

1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings > User
Data and Profiles .
2. On the Home tab, in the Create group, click Create User Data and Profiles Configuration Item .
3. On the General page of the Create User Data and Profiles Configuration Item Wizard , specify the
following information:
 Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters.
Description: Provide a description that gives an overview of the configuration item and other
relevant information that helps to identify it in the Configuration Manager console. You can use a
maximum of 256 characters.
Folder redirection: Check this box if you want to configure settings for folder redirection for this
configuration item.
Offline files: Check this box if you want to configure settings for offline files for this configuration
item.
Roaming user profiles: Check this box if you want to configure settings for roaming user profiles
for this configuration item.
4. On the Folder Redirection page of the Create User Data and Profiles Configuration Item Wizard ,
specify how you want the client computers of users that receive this configuration item to manage folder
redirection. You can configure settings for any device the user logs onto or for only the user's primary
devices. For more information about folder redirection, see your Windows Server documentation.

NOTE
This page only appears if you checked Folder redirection on the General page of the wizard.

5. On the Offline Files page of the Create User Data and Profiles Configuration Item Wizard , you can
enable or disable the use of offline files for users that receive this configuration item and configure settings
for the behavior of the offline files. You can also specify offline files that will always be available on any
computer that the user logs on to. For more information about offline files, see your Windows Server
documentation.

NOTE
This page only appears if you checked the box Offline files on the General page of the wizard.

6. On the Roaming Profiles page of the Create User Data and Profiles Configuration Item Wizard ,
you can configure whether roaming profiles are available on computers that the user logs onto and also
configure further information about how these profiles behave. For more information about roaming
profiles, see your Windows Server documentation.

NOTE
This page only appears if you checked the box Roaming user profiles on the General page of the wizard.

7. Complete the wizard.

The new user data and profiles configuration item is shown in the User Data and Profiles node of the
Assets and Compliance workspace.

Deploy a user data and profiles configuration item

1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings > User
Data and Profiles .
2. Select the user data and profiles configuration item you want to deploy and then, in the Home tab, in the
Deployment group, click Deploy .
3. In the Deploy User Data and Profiles Configuration Item dialog box, specify the following
information.
Collection - Click Browse to select the user collection where you want to deploy the configuration
item.

IMPORTANT
You can only deploy user data and profiles configuration items to user collections.

Remediate noncompliant rules when suppor ted – Enable this option to automatically
remediate any rules that are evaluated as noncompliant on client computers.
Allow remediation outside the maintenance window – If a maintenance window has been
configured for the collection to which you are deploying the configuration item, enable this option to
let compliance settings remediate the value outside of the maintenance window. For more
information about maintenance windows, see How to use maintenance windows.
Generate an aler t – Enable this option to configure an alert that is generated if the configuration
item compliance is less than a specified percentage by a specified date and time. You can also specify
whether you want an alert to be sent to System Center Operations Manager.
Specify the compliance evaluation schedule for this configuration item - Specifies the
schedule by which the deployed configuration item is evaluated on client computers. This can be
either a simple or a custom schedule.
4. Click OK to close the Deploy User Data and Profiles Configuration Item dialog box and to create the
deployment.

Monitor a user data and profiles configuration item

You monitor this type of configuration item in the same way that you monitor other compliance settings.
For more information, see How to monitor compliance settings.
 OneDrive for Business Profiles
9/4/2020 • 2 minutes to read • Edit Online

Starting in Configuration Manager version 1902, you can create OneDrive for Business Profiles for moving
Windows known folders to OneDrive for Business. These folders include Desktop, Documents, and Pictures. In each
profile, you can specify settings for moving the Windows known folders. For more information on OneDrive for
Business, see Redirect and move Windows known folders to OneDrive.

Prerequisites
Find your Microsoft 365 tenant ID
Deploy the OneDrive sync client version 18.111.0603.0004 or later. For more information, see Deploy
OneDrive apps by using Configuration Manager.

Move Windows known folders to OneDrive

Use Configuration Manager to move Windows known folders to OneDrive for Business. These folders include
Desktop, Documents, and Pictures. To simplify your Windows 10 upgrades, deploy these settings to Windows 7
clients before deploying a task sequence.
1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Compliance
Settings , and select the OneDrive for Business Profiles node.

2. In the ribbon, select Create OneDrive for Business Profile .

3. Specify a name to identify this policy, and select Next .
4. Select the platforms that will be provisioned with the OneDrive for Business profile. When you're finished
selecting the platforms, click Next .
5. On the Settings page:
a. Specify your Microsoft 365 tenant ID.
b. Select one of the following options to move the known folders to OneDrive:
Prompt users to move Windows known folders to OneDrive : With this option, the user
sees a wizard to move their files. If they choose to postpone or decline moving their folders,
OneDrive periodically reminds them.
Silently move Windows known folders to OneDrive : When this policy applies to the
device, the OneDrive client automatically redirects the known folders to OneDrive for Business.
Show notification to users after folders have been redirected : If you enable this
option, the OneDrive client notifies the user after it moves their folders.
c. Prevent users from redirecting their Windows known folders back to their PC : Disables the
option in OneDrive for Business on the client for users to move these folders back to the device.
6. Complete the wizard, then deploy the policy.

Deploy the OneDrive for Business Profile

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Compliance
Settings , and select the OneDrive for Business Profiles node.
2. Select the profile, then select Deploy in the ribbon.
3. Specify the following settings for your deployment:
a. Collection : Click Browse..., then select the collection for which you want to deploy the profile.
b. Generate an aler t :
When compliance is below : Minimum percentage of client compliance to maintain otherwise
an alert is generated.
Date and time : The date alerts first start being generated based on profile compliance.
Generate System Center Operations Manager aler t : Send a compliance alert to System
Center Operations Manager.
c. Schedule :
Simple schedule : By default, this setting uses a simple schedule to start the compliance
evaluation every seven days.
Custom schedule : Define when to run the compliance evaluation. The start time is based on the
local time for the computer that runs the Configuration Manager console at the time you create
the schedule or you can use UTC.
4. Click OK to deploy the OneDrive for Business profile.

Next steps
Create remote connection profiles
 Remote connection profiles in Configuration
Manager
9/4/2020 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use Configuration Manager remote connection profiles to allow your users to remotely connect to work
computers. These profiles let you deploy Remote Desktop Connection settings to users in your hierarchy. Users
can access any of their primary work computers through Remote Desktop over a VPN connection.

IMPORTANT
When you specify remote connection profile settings with Configuration Manager, the client stores the settings in Windows
local policy. These settings might override Remote Desktop settings that you configure with another application. Additionally,
if you use Windows Group Policy to configure Remote Desktop settings, the settings specified in the Group Policy will
override Configuration Manager settings.

Configuration Manager creates a security group on clients, Remote PC Connect . When you deploy a remote
connection profile, the client adds the primary users of the computer to this group. A local administrator can
manually add or remove users to this group, but Configuration Manager updates the membership when it next
evaluates compliance of the profile.

IMPORTANT
If the user device affinity relationship between a user and a device changes, Configuration Manager disables the remote
connection profile and Windows Firewall settings to prevent connections to the computer.

Prerequisites
External dependencies
If you want to enable users to connect from the internet, install and configure a Remote Desktop Gateway
server. For more information about how to install and configure a Remote Desktop Gateway server, see
Remote Desktop Services - Access from anywhere.
If clients run a host-based firewall, it must enable the mstsc.exe program. When you configure a remote
connection profile, enable the setting to Allow Windows Firewall exception for connections on
Windows domains and on private networks . This setting allows Configuration Manager to
automatically configure Windows Firewall.

TIP
Group Policy settings to configure Windows Firewall can override the configuration that you set in Configuration
Manager. If you use Group Policy to configure Windows Firewall, make sure that Group Policy settings don't block
mstsc.exe.

If clients run a different host-based firewall, manually configure this firewall dependency.
Configuration Manager dependencies
 In order for a user to connect to a work computer, that computer must be a primary device of the user. For
more information, see Link users and devices with user device affinity.
To manage remote connection profiles, your user account needs specific permissions in Configuration
Manager. The Compliance Settings Manager built-in role includes the permissions required to manage
these profiles. For more information, see Configure role-based administration.

Security and privacy considerations

Security considerations
Manually specify user device affinity instead of allowing users to identify their primary device. Don't enable
usage-based configuration.
Before you can deploy a remote connection profile, you need to enable the option to Allow all
primar y users of the work computer to remotely connect . With this configuration, you
should always manually specify user device affinity. Don't consider the information that
Configuration Manager collects from users or from the device to be authoritative. If you deploy a
profile, and a trusted administrative user doesn't specify user device affinity, unauthorized users
might receive elevated privileges and can remotely connect to computers.
Configuration Manager collects usage-based information through state messages, which is a fast but
insecure communication channel. To help mitigate this threat, use Server Message Block (SMB)
signing or Internet Protocol security (IPsec) between client computers and the management point.
Restrict local administrative rights on the site server computer. A local administrator on the site server can
manually add members to the Remote PC Connect security group that Configuration Manager
automatically creates and maintains. This action might cause an elevation of privileges because members
receive Remote Desktop permissions.
Privacy considerations
When a user remotely connects to a work computer, they download a .wsrdp file. This file contains the device
name and the Remote Desktop Gateway Server name. These values are required to create the Remote Desktop
session. The .wsrdp file is downloaded and automatically saved locally. This file is overwritten the next time that
the user runs a Remote Desktop session.

Create a profile
1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand
Compliance Settings , and select Remote Connection Profiles .
2. On the Home tab of the ribbon, in the Create group, select Create Remote Connection Profile .
3. On the General page of the Create Remote Connection Profile Wizard , specify a name and optional
description for the profile. Both values have a maximum limit of 256 characters.
4. On the Profile Settings page, specify the following settings:
Full name and por t of the Remote Desktop Gateway ser ver (optional) : Specify the name of
the Remote Desktop Gateway Server to use for connections. This value has the following
requirements:
The server name can't be longer than 256 characters.
It can contain uppercase, lowercase, and numeric characters.
Aside from periods ( . ) between segments, and a colon ( : ) before the port, the only special
characters are dash ( – ) and underscore ( _ ).
Configuration Manager doesn't support the use of an internationalized domain name for this
 value.
Allow connections only from computers that run Remote Desktop with Network Level
Authentication : Enabled by default, this setting adds an additional level of security for the
connection. For more information, see Grant Remote Desktop access.
Enable the following connection settings:
Allow remote connections to work computers
Allow all primar y users of the work computer to remotely connect
Allow Windows Firewall exception for connections on Windows domains and on
private networks

IMPORTANT
All three settings must be the same before you can continue.

Only disable these settings when you deploy a profile to turn off remote connections.
5. Complete the wizard.
The new profile is displayed in the Remote Connection Profiles node in the Assets and Compliance
workspace.

Deploy
1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand
Compliance Settings , and select Remote Connection Profiles .
2. In the Remote Connection Profiles list, select the profile that you want to deploy. In the Home tab of the
ribbon, in the Deployment group, select Deploy .
3. In the Deploy Remote Connection Profile window, specify the following information:
Collection : Browse to select the device collection where you want to deploy the profile.
Remediate noncompliant rules when suppor ted : Enable this setting to automatically remediate
the profile settings when they're noncompliant on a device. The profile can be non-compliant when it
doesn't exist.
Allow remediation outside the maintenance window : If you configure a maintenance window
for the collection to which you deploy the profile, enable this option to let Configuration Manager
remediate it outside the maintenance window. For more information, see How to use maintenance
windows.
Generate an aler t : Enable this option to configure a compliance alert.
Specify the compliance evaluation schedule for this configuration baseline : Specify a
simple or custom schedule by which the client evaluates the profile.
4. Select OK to close the window and create the deployment.
Client evaluation
The client evaluates the profile when a user signs in.
If a device leaves a collection to which you deploy a remote connection profile, Configuration Manager disables
the settings on the device. However, for this process to occur correctly, you must have already deployed at least
one configuration item or configuration baseline that contains a configuration item from your site.
Conflict resolution
Don't deploy more than one remote connection profile with conflicting settings to the same device. For example,
you deploy two profiles with different settings to the same collection. You only configure one profile deployment
to Remediate noncompliant rules when suppor ted . This deployment might override the settings in the other
profile. Configuration Manager doesn't support this type of remote connection profile deployment.

Monitor
In the Configuration Manager console, go to the Monitoring workspace, and select Deployments . In the
Deployments list, select the remote connection profile deployment.
You can review summary information about the compliance of the remote connection profile deployment on the
main page. To view more detailed information, select the profile deployment. Then on the Home tab of the ribbon,
in the Deployment group, select View Status . This action opens the Deployment Status page.
The Deployment Status page contains the following tabs:
Compliant : Displays the compliance of the remote connection profile based on the number of assets that
are affected.

IMPORTANT
The client doesn't evaluate a remote connection profile if it's not applicable. However, it still reports compliant.

Error : Displays a list of all errors for the selected remote connection profile deployment based on the
number of assets that are affected.
Non-Compliant : Displays a list of all noncompliant rules within the remote connection profile based on
the number of assets that are affected.
Unknown : Displays a list of all devices that didn't report compliance for the selected remote connection
profile deployment, together with the current client status of the devices.
On any tab, open a rule to create a temporary subnode under the Users node in the Assets and Compliance
workspace. This subnode contains all devices with the compliance state of the selected tab.
The Asset Details pane displays the devices with the selected compliance state for this profile. Open a device in
the list to display additional information.

Reports
Configuration Manager includes built-in reports that you can use to monitor information about remote connection
profiles. These reports have the report category of Compliance and Settings Management .

IMPORTANT
Use the wildcard character ( % ) when you use the parameters Device filter and User filter in the reports for compliance
settings.

For more information about how to configure reporting in Configuration Manager, see Introduction to reporting.
 Upgrade Windows devices to a new edition with
Configuration Manager
9/4/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Edition Upgrade Policy lets you automatically upgrade Windows 10 devices to a different edition.
The following upgrade paths are supported:
From Windows 10 Pro to Windows 10 Enterprise
From Windows 10 Home to Windows 10 Education
From Windows 10 Mobile to Windows 10 Mobile Enterprise
The devices must run the Configuration Manager client software. Devices managed by on-premises MDM aren't
supported.

Before you start

Before you begin to upgrade devices to the latest version, review the following prerequisites:
For desktop editions of Windows 10: A valid product key for the new version of Windows on all devices you
target with the policy. This product key can be a multiple activation key (MAK), or a generic volume licensing
key (GVLK). A GVLK is also referred to as a key management service (KMS) client setup key. For more
information, see Plan for volume activation. For a list of KMS client setup keys, see Appendix A of the
Windows Server activation guide.
For Windows 10 Mobile: An XML license file from the Microsoft Volume Licensing Service Center (VLSC).
This file contains the licensing information for the new version of Windows on all devices you target with
the policy. Download the ISO file for Windows 10 Mobile Enterprise , which includes the licensing XML.
To manage this policy type, you must be in the Configuration Manager Full Administrator security role.

Configure the policy

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand
Compliance Settings , and select the Windows 10 Edition Upgrade node.
2. On the Home tab of the ribbon, in the Create group, select Create Edition Upgrade Policy .
3. Select Create Policy .
4. On the General page of the Create Edition Upgrade Policy Wizard , specify the following information:
Name - Enter a name for the edition upgrade policy
Description (optional) - Optionally, enter a description for the policy that helps you identify it in the
Configuration Manager console
SKU to upgrade device to - From the drop-down list, select the target edition of Windows 10
desktop or Windows 10 Mobile
License information - Select one of the following options:
 Product Key - Enter a valid product key for the target Windows 10 desktop edition

NOTE
After you create a policy containing a product key, you can't edit the product key later. Configuration
Manager obscures the key for security reasons. To change the product key, re-enter the entire key.

License File - Select Browse to choose a valid license file in XML format. Configuration
Manager uses this license file to upgrade Windows 10 Mobile devices.
5. Complete the wizard.

Deploy the policy

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand
Compliance Settings , and select the Windows 10 Edition Upgrade node.
2. Select the Windows 10 edition upgrade policy you want to deploy. On the Home tab of the ribbon, in the
Deployment group, select Deploy .
3. Choose the device collection to which you want to deploy the policy.
4. Select the schedule by which the client evaluates the policy.
5. Complete the wizard.

Next steps
Monitor this deployment from the Deployments node of the Monitoring workspace. If you see errors indicating
an unsuccessful deployment, for example:
Not applicable for this device
Data type conversion failed
These errors don't mean that the deployment failed. Verify at the targeted device that the upgrade ran successfully.
Once the client evaluates the targeted policy, it applies the upgrade within two hours. Some versions of Windows
may require a restart at that time. Make sure you inform any users to which you deploy the policy, or schedule the
policy to run outside of the users' working hours.
If the following error appears in DcmWmiProvider.log on the client, check that you're using the proper key for
your activation scenario. For more information, see the Before you start section. If you're using a key management
service (KMS) for activation, make sure to use a KMS client setup key.
Failed to execute CheckApplicabilityMethod with error = 0x80041001 OsEditionUpgradeProvider

See also
Plan for volume activation
Windows 10 edition upgrade
Upgrade Windows 10 editions or switch out of S mode on devices using Microsoft Intune
 Configure Microsoft Edge Legacy settings in
Configuration Manager
9/4/2020 • 3 minutes to read • Edit Online

IMPORTANT
If you're using Microsoft Edge version 77 or later, and are trying to open the settings pane, enter
edge://settings/profiles in the browser address bar instead of search. For more information, see Get to know Microsoft
Edge.
This article is for IT professionals to manage Microsoft Edge Legacy settings with Microsoft Endpoint Configuration Manager.

Applies to: Configuration Manager (current branch)

For customers who use the Microsoft Edge Legacy web browser on Windows 10 clients, create a Configuration
Manager compliance policy to configure the browser settings.
This policy only applies to clients on Windows 10, version 1703 or later, and Microsoft Edge Legacy version 45 and
earlier.
For more information on managing Microsoft Edge version 77 or later with Configuration Manager, see Deploy
Microsoft Edge, version 77 and later. For more information on configuring policies for Microsoft Edge version 77
or later, see Microsoft Edge - Policies.

Policy settings
This policy currently includes the following settings:
Set Microsoft Edge browser as default : configures the Windows 10 default app setting for web browser
to Microsoft Edge
Allow address bar drop-down : Requires Windows 10, version 1703 or later. For more information, see
AllowAddressBarDropdown browser policy.
Allow sync favorites between Microsoft browsers : Requires Windows 10, version 1703 or later. For
more information, see SyncFavoritesBetweenIEAndMicrosoftEdge browser policy.
Allow clear browsing data on exit : Requires Windows 10, version 1703 or later. For more information,
see ClearBrowsingDataOnExit browser policy.
Allow Do Not Track headers : For more information, see AllowDoNotTrack browser policy.
Allow autofill : For more information, see AllowAutofill browser policy.
Allow cookies : For more information, see AllowCookies browser policy.
Allow pop-up blocker : For more information, see AllowPopups browser policy.
Allow search suggestions in address bar : For more information, see
AllowSearchSuggestionsinAddressBar browser policy.
Allow send intranet traffic to Internet Explorer : For more information, see
SendIntranetTraffictoInternetExplorer browser policy.
 Allow password manager : For more information, see AllowPasswordManager browser policy.
Allow Developer Tools : For more information, see AllowDeveloperTools browser policy.
Allow extensions : For more information, see AllowExtensions browser policy.

TIP
For more information on using group policy to configure these and other settings, see Microsoft Edge Legacy group policies.

Configure Windows Defender SmartScreen settings for Microsoft Edge Legacy

This policy adds three settings for Windows Defender SmartScreen. The policy now includes the following
additional settings on the Smar tScreen Settings page:
Allow Smar tScreen : Specifies whether Windows Defender SmartScreen is allowed. For more information,
see the AllowSmartScreen browser policy.
Users can override Smar tScreen prompt for sites : Specifies whether users can override the Windows
Defender SmartScreen Filter warnings about potentially malicious websites. For more information, see the
PreventSmartScreenPromptOverride browser policy.
Users can override Smar tScreen prompt for files : Specifies whether users can override the Windows
Defender SmartScreen Filter warnings about downloading unverified files. For more information, see the
PreventSmartScreenPromptOverrideForFiles browser policy.

Create the browser profile

1. In the Configuration Manager console, go to the Assets and Compliance workspace. Expand Compliance
Settings and select the Microsoft Edge Browser Profiles node. In the ribbon, select Create Microsoft
Edge profile .
2. Specify a Name for the policy, optionally enter a Description , and select Next .
3. On the General Settings page, change the value to Configured for the settings to include in this policy. To
continue the wizard, make sure to configure the setting to Set Edge Browser as default .
4. Configure settings on the Smar tScreen Settings page.
5. On the Suppor ted Platforms page, select the OS versions and architectures to which this policy applies.
6. Complete the wizard.

Deploy the policy

1. Select your policy, and in the ribbon select Deploy .
2. Browse to select the user or device collection to which to deploy the policy.
3. Select additional options as necessary:
a. Generate alerts when the policy isn't compliant.
b. Set the schedule by which the client evaluates the device's compliance with this policy.
4. Select OK to create the deployment.

Next steps
Like any compliance settings policy, the client remediates the settings on the schedule you specify. Monitor and
report on device compliance in the Configuration Manager console.
 Monitor compliance settings in Configuration
Manager
9/4/2020 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you have deployed Configuration Manager configuration baselines to devices in your hierarchy, you can use
one or more of the procedures in this topic to display the compliance status of the configuration baseline:

NOTE
The validation criteria fields in compliance settings reports (the equivalent on the client-side report is Constraints ) display
the underlying Service Modeling Language (SML). This can make it difficult for administrators who have authored the
configuration item in the Configuration Manager console to understand what the validation criteria is if they do not have
knowledge of SML. In this case, use the Monitoring workspace in the Configuration Manager console to view the
properties of the configuration item and its validation criteria.

View compliance results in the Configuration Manager console

Use this procedure to view details about the compliance of deployed configuration baselines in the Configuration
Manager console.
View compliance results in the Configuration Manager console
1. In the Configuration Manager console, click Monitoring > Deployments .
2. In the Deployments list, select the configuration baseline deployment for which you want to review
compliance information.
3. You can review summary information about the compliance of the configuration baseline deployment on
the main page. To view more detailed information, select the configuration baseline deployment, and then
on the Home tab, in the Deployment group, click View Status to open the Deployment Status page.
The Deployment Status page contains the following tabs:
Compliant : Displays the compliance of the configuration baseline based on the number of assets
affected. You can click a rule to create a temporary node under the Users or Devices node that are
in the Assets and Compliance workspace, which contains all users or devices that are compliant
with this rule. The Asset Details pane displays the users or devices that are compliant with the
configuration baseline. Double-click a user or device in the list to display additional information.

IMPORTANT
A configuration item rule is not evaluated if it is not detected or not applicable on a client device; however,
the rule is returned as compliant.

Error : Displays a list of all errors for the selected configuration baseline deployment based on
number of assets affected. You can click a rule to create a temporary node under the Users or
Devices node of the Assets and Compliance workspace, which contains all users or devices that
generated errors with this rule. When you select a user or device, the Asset Details pane displays
the users or devices that are affected by the selected issue. Double-click a user or device in the list to
 display additional information about the issue.
Non-Compliant : Displays a list of all noncompliant rules within the configuration baseline based on
number of assets affected. You can click a rule to create a temporary node under the Users or
Devices node of the Assets and Compliance workspace, which contains all users or devices that
are not compliant with this rule. When you select a user or device, the Asset Details pane displays
the users or devices that are affected by the selected issue. Double-click a user or device in the list to
display further information about the issue.
Unknown : Displays a list of all users and devices that did not report compliance for the selected
configuration baseline deployment together with the current client status of devices.
4. On the Deployment Status page, you can review detailed information about the compliance of the
deployed configuration baseline. A temporary node is created under the Deployments node that helps
you find this information again quickly.

View compliance results by using reports

Compliance settings in Configuration Manager includes a number of built-in reports that let you monitor
information about configuration items, configuration baselines, and deployments. These reports have the report
category of Compliance and Settings Management .

IMPORTANT
You must use a wildcard (%) character when you use the parameters Device filter and User filter in the compliance settings
reports.

For more information about how to configure Reporting in Configuration Manager, see Introduction to reporting.

View compliance results on a Configuration Manager Windows client

computer
NOTE
You cannot view information on the Configuration Manager Windows client if you are logged on with a domain Guest
account.

1. Navigate to Configuration Manager in Control Panel of the client computer, and double-click it to open
its properties.
2. Click the Configurations tab, and view the list of deployed configuration baselines.
3. View the Compliance State for each configuration baseline:

IMPORTANT
The evaluation results are cached on the client for 15 minutes. If you initiate a re-evaluation within the 15 minute
period, the compliance results are returned from this cache rather than a new evaluation. Therefore, if you make a
change on the client that might affect the compliance evaluation results, wait until the 15 minutes have elapsed
before initiating a re-evaluation.

Compliant : The client computer is in compliance with the evaluated configuration baseline.
Non-Compliant : The client computer is out of compliance with the evaluated configuration
 baseline.
Unknown : The client computer has not yet evaluated the configuration baseline. If you want to
initiate evaluation outside the compliance evaluation schedule, select the configuration baselines to
evaluate, and then click Evaluate .

NOTE
If you have local administrator credentials on the client computer, you can view details of each evaluated
configuration baseline to determine which configuration item is reporting a noncompliant status. To do this,
select the configuration baseline, and then click View Repor t .

4. Click OK .

Create collections based on configuration baseline compliance

Use the following procedure to create a Configuration Manager collection based on devices with a specified
compliance. You can create collections based on the following compliance states:
Compliant
Error
Non-compliant
Unknown
1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings >
Configuration Baselines .
2. In the Configuration Baselines list, select the configuration baseline from which you want to create a
collection.
3. In the Deployment tab, in the Deployment Group , click Create New Collection and then, in the drop-
down list, select the compliance level for which you want to create a collection.
4. The Create User Collection Wizard or the Create Device Collection Wizard opens, depending on
whether the configuration item is deployed to users or devices. The wizard is automatically populated with
the correct values to create the collection; however, you can edit these values.
5. After you complete the wizard, the collection displays in the User Collections or the Device Collections
node in the Assets and Compliance workspace.