Controls
to add one or more controls to a particular section in the policy.Controls are the building blocks of a compliance policy. Each control pertains to one or more operating systems and/or applications, which are referred to as technologies. Checks performed by the service to validate the control may differ for each technology that it applies to. For each technology, you can view a description of the check and the required value for compliance as defined by the service. The value may be edited if appropriate for your organization.
Note that you can add as many controls to a policy as you like but may only select up to 200 controls at a time.
Click the Add Controls button on the top menu bar to add controls to the policy. The Select Controls pop-up appears where you can search for controls to add. Select the check box next to each control to add and then click the Add button at the bottom of the pop-up. The selected controls are automatically added to the last section in the policy. Move the controls to different sections by changing the control number.
Click Controls
to add one or more controls to a particular section in the policy.
Click 
Control to remove a control from
a particular section in the policy.
Each control is numbered. Controls listed in section 1 are numbered 1.1, 1.2, 1.3, and so on. Controls listed in section 2 are numbered 2.1, 2.2, 2.3, and so on.
To re-order controls within a section of your policy, click on the control number and then enter a new number in the pop-up that appears. For example, change control 1.4 to 1.1 to move it up in the section. You can also move a control from one section in the policy to a different section in the policy. For example, change control 1.1 to 2.1 to move it from section 1 to section 2.
After adding a control to a policy, note the control value. The default value follows security best practices and compliance standards.
For some controls, you can edit the expected values as appropriate for your organization. Depending on the control, you may be required to select an operator (i.e. less than, greater than, equal to), select a cardinality (i.e. match any, match all, empty) or both. Then enter the expected value in the field provided.
Manager and Auditor users are allowed to add custom controls to the subscription. When doing so, they set a default value for each technology that the control applies to. The user adding the control also has the option to lock different parts of the control, including the default value, operator and cardinality. Any part of the control that is locked will appear grayed out in the Policy Editor and cannot be changed.
See Control Values for more information on specifying integer values, regular expressions, and Windows permissions following the mapping used by the compliance module. Special data point status codes (314159265358979 and 161803399999999) are also explained.
A deprecated control is a control that has been retired for all technologies. each deprecated control has one or more replacement controls provided by the service. When editing a policy with deprecated controls, you'll see a warning message below the menu bar indicating the number of deprecated controls in the policy.
There are two methods for replacing deprecated controls in a policy.
1) Click the "Replace all now" link in the warning message to replace all deprecated controls in the policy. Be sure to save the policy.
2) Click the "Deprecated Controls" button in the menu bar
and select a control form the list to jump to the control in the policy.
Below the control click 
Replace.
Be sure to save the policy.
Note the following:
When a replacement control is added to your policy, the control is added for all relevant technologies in the policy's global technologies list - any technology that the replacement control has been implemented for.
If the deprecated control had a user-customized value set in the policy, the service will use the custom value for the replacement controls whenever possible. For example, if a deprecated control had two datapoints linked together by an "AND" condition and the datapoints haven't changed but are simply being split into two separate controls, the datapoint values previously set for the deprecated control will be applied to the replacement controls.