You must have specific permissions to perform this function. For more information, speak to the Secure Configuration Manager administrator.
You can create temporary waivers, or exceptions, to prevent conditions from causing a violation in the reported results for a security check associated with a policy template.
You can also run a security check that contains a saved list, then modify the values in the list. For more information, see Including or Excluding Values in a Security Check Parameter.
You can create and apply the following types of exceptions:
Endpoints or a group of endpoints for individually run security checks
Endpoints or a group of endpoints for security checks in a policy template run
Typically, you create an exception when you do not want a particular violation to display in the assessment report, or when you want to prevent a particular security check from running for an endpoint or a group of endpoints. For example, if a server in your environment is currently undergoing maintenance, you might want to create an exception to suspend monitoring that server with certain security checks.
When creating an exception, you can specify a reason for excepting that security check or endpoint. The Web console provides default reasons for the exception, or you can create your own. You can also specify the time frame during which the exception will be active.
After you apply an exception, the Web console re-generates the report. The updated report shows Applied in the Exceptions column.
NOTE:In some organizations, exceptions must be approved before they can go into effect in an assessment report. For more information, see Manage Exceptions with an Approval Process.
Open the assessment report where you want to make the exception.
(Conditional) To make an exception based on a security check, select the Security Checks tab.
The Create exception wizard prompts you later to specify the endpoints or groups that you want to associate with the selected security checks.
(Conditional) To make an exception based on an endpoint or group, select the Endpoints tab.
The Create exception wizard prompts you later to specify the security checks that you want to associate with the selected endpoints or groups.
Select the security checks or endpoints that you want to except, then click Create exception.
(Conditional) If you selected security checks in Step 4, specify the endpoints that you want to except from the security check results.
(Conditional) If you selected endpoints or groups in Step 4, specify the security checks whose results you want to exclude from the report.
Click Next.
Specify a name, description, and reason for the exception.
(Conditional) If you create a custom Reason for the exception, ensure that you also enter a description of the reason so that other users can understand the reason’s purpose.
Click Enable to activate the exception.
(Optional) To set a time limit on the exception, specify start and end dates.
If you do not specify a value for End date, the exception never expires.
Click Create.
(Optional) Create another exception.
To apply the exceptions, click ... > Apply exceptions.
To view the report with exceptions applied, return to Reports > Assessments and open the report, which should now say Applied in the Exceptions column.
By default, Secure Configuration Manager allows you to apply exceptions to security check results or endpoints immediately. However, your console administrator can require that exceptions receive approval before being applied to security check results, an endpoint, or a group of endpoints. This option gives you the flexibility to add an exception approval level to your change management workflow.
If you enable the approval process, the exceptions created and applied in the Web console must be approved in the Windows console before they can go into effect. For more information, see “Enabling Exception Approvals” in the User’s Guide to Secure Configuration Manager.
When you delete an exception from an assessment report, you cannot re-apply it. Instead, everything associated with that exception is removed from the database.
As an alternative, to save the exception for later use, use the Windows console to revoke the exception. For more information, see the Help for the Windows console.
Select the Utilities > Exceptions.
Select one or more exceptions that you want to delete.
Select Delete.
For trademark and copyright information, see Legal Notice.