The Desired Configuration Management (DCM) feature in System Center Configuration Manager 2007 (ConfigMgr) enables customers to define configuration standards and policies and audit compliance of Windows systems throughout their IT organizations against those defined configurations.

The focus of Desired Configuration Management in Configuration Manager 2007 is the collection and reporting of configuration compliance data. Administrators are able to import configuration packs or create DCM configuration items and baselines using the editing features within ConfigMgr. Configuration baselines can then be targeted and deployed to collections of systems. The ConfigMgr client agent accepts configuration items and baselines from the ConfigMgr site server and audits the system for compliance to the configuration item and baseline definitions which have been targeted to that system. Administrators can choose to have the client generate Windows events and/or generate ConfigMgr state messages in response to non-compliant configuration detection. The non-compliance data is forwarded to that client’s site server and available for reporting or as criteria for query-based collections.

The data collected assists organizations in answering questions such as:

  1. What important configuration items have recently been changed on a malfunctioning system?

  2. How many desktop systems have non-standard configurations?

  3. Have our Exchange servers all been configured according to corporate standards?

Document Purpose: The purpose of this document is to provide Microsoft partners, Line-of-Business developers and advanced ConfigMgr administrators instructions on the use of the DCM Model Verification Tool (DCMMVTool.exe) for the validation and testing of configuration items and baselines authored externally from the ConfigMgr console.

Key Terms & Concepts

The following terms and concepts are essential to understanding DCM CI authoring.

Term Definitions

Configuration Item (CI)

CIs are units of configuration management that can be detected, applied, and removed from ConfigMgr managed machines. DCM supports five types of configuration item:

  • Application configuration item

  • Operating System configuration item

  • General configuration item

  • Software Updates configuration item

Note
General configuration items are referred to as BusinessPolicy configuration item in the DCMDigest.xsd
Note
Software Updates CIs are created / administered through the Software Updates feature in Configuration Manager 2007 and can be referenced by configuration baselines. They cannot be directly authored via DCM or the DCM Digest.

General configuration item

General CIs are models of settings and objects which together represent a meaningful unit of configuration management whose identity is defined by enumeration of its settings and objects.

Examples of general configuration items might include:

  • Your organization’s security configuration policy

  • Compliance controls for Sarbanes-Oxley section 404

Application configuration item

Application CIs include all of the functionality of general configuration items but whose identity can be detected independently of its settings and objects. DCM in Configuration Manager 2007 supports two methods for detecting the presence of an application configuration item: (1) MSI; and (2) Script-based discovery. This CI-level discoverability allows application CIs to be referenced as prohibited or optional within the context of a configuration baseline.

Examples of application configuration items might include:

  • Microsoft Office Professional 2003

  • Microsoft Word

  • Your organization’s Finance Reporting Server LOB application

  • Hardware applications/appliances

Operating System configuration item

Operating System configuration items include all of the functionality of general configuration items but are tightly coupled with a specific version of the Windows operating system.

Examples of operating system configuration items might include:

  • Your organization’s Windows Server 2003 Datacenter server policy

Objects

Objects are configuration elements related to a CI which consist of an identity and one or more properties, including security access controls. DCM in Configuration Manager 2007 supports four object types: (1) file; (2) folder; (3) Global Assembly Cache (GAC) registered assemblies; and (4) registry keys. Objects may be defined for any Application, General, or Operating System configuration item.

Note
Objects are referred to as “Parts” in the DCMDigest.xsd.

Settings

Settings are configurable name/value pairs which influence the behavior of hardware and software. DCM can discover settings using any of the supported providers, including:

  • Registry

  • WMI (WQL query)

  • Microsoft SQL Server (SQL query)

  • Active Directory (LDAP)

  • XML (XPath query)

  • IIS Metabase

  • Script (JScript/VBScript/Powershell)

Settings may be defined for any Application, General, or Operating System configuration item.

Tip
There is no relationship between objects and settings in DCM CIs. For example, it is not necessary to define a registry key object in order to define settings which happen to be located in that registry key location.

Validation

Validation consists of constraints applied to the settings and object properties discovered for a CI. Validation constraints may be applied on any setting or object property for any Application, General or Operating System configuration item.

Note
Validation is referred to as “Rules” in the DCMDigest.xsd

Parent/Child configuration item

DCM supports derivation by extension for application, OS, and general configuration items, but not configuration baselines. A derived CI is called a Child CI and the original base CI is called its Parent CI. A Child CI can be used to add validation on the settings or object properties defined by its Parent CI. It can also add new settings and objects which were not defined for the Parent CI. This allows CI authors to define shared configuration data once in a common Parent CI.

Warning
DCM sets no restriction on the number of levels of CI inheritance. However, in order to minimize the administrative burden of managing the ConfigMgr environment, CI authors are strongly encouraged to limit themselves to no more than 1 or 2 levels of derivation.

Configuration Baseline

A configuration baseline is a complex type of CI which is composed of references to other CIs. The CI references apply constraints on the referenced CIs by classifying them as required, optional, or prohibited within the context of the baseline. The configuration baseline is the primary unit of administrative work for DCM administrators and can be assigned to ConfigMgr collections for compliance monitoring.

DCM Digest

The DCM Digest is an XML document that describes exactly one DCM configuration item or baseline. The XML Schema Definition called DCMDigest.xsd can be used with an XML editor like Microsoft Visual Studio 2005 to author valid DCM Digest XML. The XML Schema Definition called DCMDigestMetadata.xsd can be used to author chained discovery logic for settings and objects, or validation which relates the values of two or more settings.

Service Modeling Language (SML)

A modeling language built on XML standards that provides a rich set of constructs for modeling complex IT systems, including:

  1. Structure of the system: objects and relationships

  2. Desired configuration

  3. Administrative policies

  4. Management information such as events and performance counters, rules for determining the operational health of the system, etc.

For more information, see http://serviceml.org

Using the DCMMVTool.exe tool

The purpose for the DCMMVTool.exe is to provide a lightweight UI-based tool for the validation and testing of configuration items and baselines authored based on the DCM Digest XML.

Schema Definition available as part of the Configuration Manager 2007 SDK. The tool can also be used to test partially-interpreted and uninterpreted configuration items.

The DCMMVTool offers three actions that can be applied to one or more DCMDigest, partially-interpreted, or uninterpreted configuration item XML documents:

Table 1 - DCM Model Verification Tool Actions

Actions Descriptions

Validate

This option will check the opened configuration item(s) and baseline(s) XML for schema and business logic violations. This should be used to ensure that the configuration item(s) and baseline(s) will successfully import into a Configuration Manager 2007 site.

Transform

This option will run the Validate action and then convert the opened DCM Digest XML document into SML. The output of this action is a partially-interpreted configuration item which can be edited to add complex discovery and validation that is not natively supported by the DCM Digest XML Schema Definition (DCMDigest.xsd).

For more information on partially-interpreted configuration items, refer to the Configuration Manager 2007 product documentation.

Discover

This option will run the Validate and Transform actions, if necessary, and then evaluate the configuration item(s) and/or baseline(s) against the computer where the DCMMVTool.exe is running. The output of this action is a DCM compliance report which can be used to validate the results of configuration items and baselines before importing them into a Configuration Manager 2007 site.

Usage

To begin using the DCMMVTool.exe, you must first have one or more configuration item and/or baseline XML files. The tool can be used with fully-interpreted, partially- interpreted, or un-interpreted configuration item XML files.

  1. Launch the DCMMVTool.exe

  2. From the File menu, choose the Open action and browse for a configuration item or baseline XML file

  3. Repeat step 2 for each configuration item and baseline XML file to be verified

  4. In the left-hand pane, select the configuration item or baseline to be verified and then launch any of the three available DCM Model Verification Tool actions from the menu

Note:

  • The Validate menu option can be used to validate each configuration item in isolation. Running validation on a baseline will not automatically validate any referenced configuration items.

  • To perform Discover on a configuration baseline, you must first open all referenced configuration items and baselines, recursively. Then, select the tab for the original configuration baseline in the left-hand pane and run the Discover action. The output compliance report will include details for all configuration items and baselines referenced by the selected configuration baseline.

  • To perform Discover on a child configuration item, you must open its parent and any other ancestor configuration items. Then, select the tab for the child configuration item in the left-hand pane and run the Discover action.

File menu options

Table 2 - DCM Model Verification Tool File Menu Options

Actions Descriptions

Open

Open a configuration item or baseline XML file.

Save Output

Save the information displayed in the right-hand “Output” pane to a file.

Close

Close the currently selected configuration item or baseline.

Write Log

Save the information displayed in the logging pane at the bottom of the UI display to a file.

Reset

Close all configuration items and baselines and clear the Output pane.

Exit

Close the DCMMVTool.

Import your tested configuration item to Configuration Manager

At this point, you have completed your DCM configuration item using substitution references. You may now import the final configuration item via the SDK or create a Cabinet file (.cab) with your configuration item XML and import via the ConfigMgr console.