The Desired Configuration Management (DCM) feature in System Center Configuration Manager 2007 (ConfigMgr) enables customers to define configuration standards and policies and audit compliance of Windows systems throughout their IT organizations against those defined configurations.
The focus of Desired Configuration Management in Configuration Manager 2007 is the collection and reporting of configuration compliance data. Administrators are able to import configuration packs or create DCM configuration items and baselines using the editing features within ConfigMgr. Configuration baselines can then be targeted and deployed to collections of systems. The ConfigMgr client agent accepts configuration items and baselines from the ConfigMgr site server and audits the system for compliance to the configuration item and baseline definitions which have been targeted to that system. Administrators can choose to have the client generate Windows events and/or generate ConfigMgr state messages in response to non-compliant configuration detection. The non-compliance data is forwarded to that client’s site server and available for reporting or as criteria for query-based collections.
The data collected assists organizations in answering questions such as:
- What important configuration items have recently been changed
on a malfunctioning system?
- How many desktop systems have non-standard configurations?
- Have our Exchange servers all been configured according to
corporate standards?
Document Purpose: The purpose of this document is to provide Microsoft partners, Line-of-Business developers and advanced ConfigMgr administrators instructions on the use of the DCM Model Verification Tool (DCMMVTool.exe) for the validation and testing of configuration items and baselines authored externally from the ConfigMgr console.
Key Terms & Concepts
The following terms and concepts are essential to understanding DCM CI authoring.
Term | Definitions | ||||
---|---|---|---|---|---|
Configuration Item (CI) |
CIs are units of configuration management that can be detected, applied, and removed from ConfigMgr managed machines. DCM supports five types of configuration item:
|
||||
General configuration item |
General CIs are models of settings and objects which together represent a meaningful unit of configuration management whose identity is defined by enumeration of its settings and objects. Examples of general configuration items might include:
|
||||
Application configuration item |
Application CIs include all of the functionality of general configuration items but whose identity can be detected independently of its settings and objects. DCM in Configuration Manager 2007 supports two methods for detecting the presence of an application configuration item: (1) MSI; and (2) Script-based discovery. This CI-level discoverability allows application CIs to be referenced as prohibited or optional within the context of a configuration baseline. Examples of application configuration items might include:
|
||||
Operating System configuration item |
Operating System configuration items include all of the functionality of general configuration items but are tightly coupled with a specific version of the Windows operating system. Examples of operating system configuration items might include:
|
||||
Objects |
Objects are configuration elements related to a CI which consist of an identity and one or more properties, including security access controls. DCM in Configuration Manager 2007 supports four object types: (1) file; (2) folder; (3) Global Assembly Cache (GAC) registered assemblies; and (4) registry keys. Objects may be defined for any Application, General, or Operating System configuration item.
|
||||
Settings |
Settings are configurable name/value pairs which influence the behavior of hardware and software. DCM can discover settings using any of the supported providers, including:
Settings may be defined for any Application, General, or Operating System configuration item.
|
||||
Validation |
Validation consists of constraints applied to the settings and object properties discovered for a CI. Validation constraints may be applied on any setting or object property for any Application, General or Operating System configuration item.
|
||||
Parent/Child configuration item |
DCM supports derivation by extension for application, OS, and general configuration items, but not configuration baselines. A derived CI is called a Child CI and the original base CI is called its Parent CI. A Child CI can be used to add validation on the settings or object properties defined by its Parent CI. It can also add new settings and objects which were not defined for the Parent CI. This allows CI authors to define shared configuration data once in a common Parent CI.
|
||||
Configuration Baseline |
A configuration baseline is a complex type of CI which is composed of references to other CIs. The CI references apply constraints on the referenced CIs by classifying them as required, optional, or prohibited within the context of the baseline. The configuration baseline is the primary unit of administrative work for DCM administrators and can be assigned to ConfigMgr collections for compliance monitoring. |
||||
DCM Digest |
The DCM Digest is an XML document that describes exactly one DCM configuration item or baseline. The XML Schema Definition called DCMDigest.xsd can be used with an XML editor like Microsoft Visual Studio 2005 to author valid DCM Digest XML. The XML Schema Definition called DCMDigestMetadata.xsd can be used to author chained discovery logic for settings and objects, or validation which relates the values of two or more settings. |
||||
Service Modeling Language (SML) |
A modeling language built on XML standards that provides a rich set of constructs for modeling complex IT systems, including:
For more information, see http://serviceml.org |
Using the DCMMVTool.exe tool
The purpose for the DCMMVTool.exe is to provide a lightweight UI-based tool for the validation and testing of configuration items and baselines authored based on the DCM Digest XML.
Schema Definition available as part of the Configuration Manager 2007 SDK. The tool can also be used to test partially-interpreted and uninterpreted configuration items.
The DCMMVTool offers three actions that can be applied to one or more DCMDigest, partially-interpreted, or uninterpreted configuration item XML documents:
Table 1 - DCM Model Verification Tool Actions
Actions | Descriptions |
---|---|
Validate |
This option will check the opened configuration item(s) and baseline(s) XML for schema and business logic violations. This should be used to ensure that the configuration item(s) and baseline(s) will successfully import into a Configuration Manager 2007 site. |
Transform |
This option will run the Validate action and then convert the opened DCM Digest XML document into SML. The output of this action is a partially-interpreted configuration item which can be edited to add complex discovery and validation that is not natively supported by the DCM Digest XML Schema Definition (DCMDigest.xsd). For more information on partially-interpreted configuration items, refer to the Configuration Manager 2007 product documentation. |
Discover |
This option will run the Validate and Transform actions, if necessary, and then evaluate the configuration item(s) and/or baseline(s) against the computer where the DCMMVTool.exe is running. The output of this action is a DCM compliance report which can be used to validate the results of configuration items and baselines before importing them into a Configuration Manager 2007 site. |
Usage
To begin using the DCMMVTool.exe, you must first have one or more configuration item and/or baseline XML files. The tool can be used with fully-interpreted, partially- interpreted, or un-interpreted configuration item XML files.
- Launch the DCMMVTool.exe
- From the File menu, choose the Open action and browse for a
configuration item or baseline XML file
- Repeat step 2 for each configuration item and baseline XML file
to be verified
- In the left-hand pane, select the configuration item or
baseline to be verified and then launch any of the three available
DCM Model Verification Tool actions from the menu
Note:
- The Validate menu option can be used to
validate each configuration item in isolation. Running validation
on a baseline will not automatically validate any referenced
configuration items.
- To perform Discover on a configuration
baseline, you must first open all referenced configuration items
and baselines, recursively. Then, select the tab for the original
configuration baseline in the left-hand pane and run the Discover
action. The output compliance report will include details for all
configuration items and baselines referenced by the selected
configuration baseline.
- To perform Discover on a child configuration
item, you must open its parent and any other ancestor configuration
items. Then, select the tab for the child configuration item in the
left-hand pane and run the Discover action.
File menu options
Table 2 - DCM Model Verification Tool File Menu Options
Actions | Descriptions |
---|---|
Open |
Open a configuration item or baseline XML file. |
Save Output |
Save the information displayed in the right-hand “Output” pane to a file. |
Close |
Close the currently selected configuration item or baseline. |
Write Log |
Save the information displayed in the logging pane at the bottom of the UI display to a file. |
Reset |
Close all configuration items and baselines and clear the Output pane. |
Exit |
Close the DCMMVTool. |
Import your tested configuration item to Configuration Manager
At this point, you have completed your DCM configuration item using substitution references. You may now import the final configuration item via the SDK or create a Cabinet file (.cab) with your configuration item XML and import via the ConfigMgr console.