Premier Offerings: Configuration Manager Advanced Compliance

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.




By: Christopher Scott (CJ)



As a SCCM Engineer we have all experienced the pains of navigating through report after report trying to culminate enough data to provide an accurate representation of our environments’ patch status. As a Premier Field Engineer (PFE) at Microsoft the task has not gotten any easier. I get asked by a lot of customers about custom Power BI dashboards and reports that are available or can be created for SCCM administrators, managers, and stake holders alike.



The Configuration Manager Advanced Compliance (CMAC) reports have been created within Microsoft by a few PFE’s along with myself who form part of the development team with Lead Christopher Sugdinis.

The Configuration Manager Advanced Compliance (CMAC) reports are designed to offer:

  • An executive focused Power BI dashboard that concisely shows the current state of software update compliance, by month, over each of the last six months.
  • includes a unique "blacklist" feature that filters unwanted or unnecessary updates so that they are not counted against the organization’s unique compliance requirements while ensuring that all remaining applicable updates are accounted for.
  • The service is designed to ensure responsive and scalable reporting without adding to the database transaction load of Configuration Manager during business hours. By utilizing our custom Database Schema and population techniques we can ensure scalability and reporting responsiveness in environments managing up to 700,000 clients.

The CMAC solution (Configuration Manager Advanced Compliance) delivers a scalable, data-driven reporting overview of the System Center Configuration Manager environment.

This solution consists of a rich set of dashboards designed to deliver an executive view of compliance. At the same time, CMAC also provides granular, drill through reports that provide all metrics necessary for validation and correction.

Native Configuration Manager Reports are not replaced with this solution, the CMAC solution amplifies the data they show by providing additional data insights while incorporating custom blacklist filtering techniques.

The dashboards in this solution were created based on field experience and on customers’ needs to provide an overall view of various Configuration Manager functionality. The embedded charts and graphics provide details across the entire infrastructure.


Dashboard Months 1-3



Dashboard – Months 4-6



Drill through – Not Compliant Drill through



Drill through – Device Specific Compliance



Drill through – Patch Specific Drill though



Drill through – Device Not Synced






Key Features and Benefits

The CMAC solution consists of a single executive style dashboard that provides a series of drill- through reports designed to provide validation and ease of remediation:

  • Realize with better visibility than ever before the level of software update compliance that exists in your organization.
  • Software Update compliances reportable by collection, by device and by software update release cycle over each of the previous three months.
  • Provides comprehensive remediation information about devices that that are returning software update scan failures.
  • An accredited Microsoft Premier Field Engineer will also provide guidance on the identification and deployment of updates that are required and not installed in your environment.
  • The subscript maintenance component of the service provides for ongoing upgrade and training needs. Maintenance ensures that compliance needs are met both today as well as into the future.


The CMAC offering is supported on currently support releases of Configuration Manager Current Branch. Subscription based maintenance ensures supportability, feature parity and improvements alongside SCCM CB releases and Windows 10 CB releases alike.

Already have, or are considering Configuration Manager Advanced Dashboards (CMAD)? That’s great, while CMAD offers a wide range or reports over the entire SCCM data schema here are some areas that don’t overlap but complement each other.

  • CMAC
    • Depth focused on Update Compliance, particularly security. E.G. PCI DSS (Payment Card Industry - Data Security Standards), SOX (Sarbanes Oxley Act of 2002), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and ISO 27001 standards.
    • IT director focus with detailed software update compliance auditing going back six patch Tuesday release cycles. Historical trending proves which devices are 100% compliant to a company’s unique business standards and which are not.
    • CMAC also identifies devices which are not synced by root cause with over 50 top common causes clearly identified.
    • Scalability to support up to 700,000 devices through custom data warehouse model.
  •  CMAD
    • Breadth with great daily use report for all things Configuration Manager.
    • SCCM Admin focus for daily admin activities including package distributions, OS versions, and basic software updates snapshot of where they are “today”.
    • No data warehouse model


Already have, or are considering Configuration Manager Client Health (CMCH)? That’s great as well. CMAC is designed from the ground up to integrate with CMCH.


 Delivery Overview

This is a three-day remote engagement. Roughly 25% of the time is focused on the installation of prerequisites such as Power BI Report Server and the basic Advanced Compliance installation. The remaining 75% of the engagement is focused on custom tuning of blacklisting rules, data review, and training walkthroughs to insure true alignment of the unique compliance needs in your environment. Key areas include:

  • Customize blacklist rules by leveraging wildcards to accurately meet your unique compliance requirements.
  • Tune collection filtering rules to accurately identify all in scope and out of scope devices.
  • Customize several other metrics and thresholds by tuning our unique SQL config table.
  • Training and focus on best practices to deploy updates that have been confirmed as both required and not deployed.
  • Careful consideration is made to ensure that all compliance training and assistance is performed within the guidelines of your internal change control processes.




The introduction of this solution has allowed SCCM Administrators to get a better view of the state of their SCCM environments.

So, you ask how do we get these Dashboards?? image013.png



If you are a Microsoft Premier customer, you can reach out to your TAMs to request a demo from the CMAC dev team and to ask delivery questions!!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.