DCM - Expand the Compliance Rules so that they can return Values
Expand the capabilities of the Compliance rules so that I can collect the Registry Value optionally.
It’s great that we can tell if systems are compliant, but often we are Auditing Registry values and handing the data over to Security or other groups. Those other groups determine if the setting is compliant or not.
Simply handing over a report that lists 10s of thousands of systems as not compliant is not enough...the next question that we are often asked is what are the Non-Compliant values.
An additional check box to "Collect Values" would be very helpful and reduce allot of additional work.
I personally use the 'DiscoveredValue' field of the 'vDCMDeploymentNonCompliantRuleDetailsPerClientMachine' and it works great. Just counterintuitive. The approved way to do this is with MOF modifications, using regkeytoMOF to generate it. It works. But I like to stay out of my MOF files unless I need to data for the long term, not just for one off requests.
Kevin Myrup - ConfigMgr Product Team commented
This already happens today. When a value is non-compliant, the actual and expected values are reported back in the non-compliance report details. These details can be viewed in reports by 'drilling down' from the summary report down into a specific machine where the details are displayed in a linked report.
The detailed report may not scale to showing details for all machines depending on the number of clients. Is this report not very discoverable?
What would be a preferred way to provide this data (which already exists in the system) to the security group or others?