Desired configuration management in System Center 2012 R2 Configuration Manager allows you to assess the compliance of computers with regard to a number of configurations, such as whether all required applications are installed and configured correctly. You can also assess whether optional applications are installed and configured appropriately and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.
Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define how they should be defined for compliance. Configuration baselines can be imported from the Web as Best Practices, defined within System Center 2012 R2 Configuration Manager, or defined externally and then imported into Configuration Manager.
 Note |
|---|
| Download configuration data that has been published by Microsoft and other software vendors and solution providers as Best Practices configurations is available from the Microsoft Configuration Data Download Web site. |
After a configuration baseline is defined, it can be assigned to computers through collections and evaluated on a schedule. Client computers can have multiple configuration baselines assigned to them, which provides for precise administration. Client computers evaluate their compliance with each configuration baseline and report back the results to the site. If the client is not connected to the network and therefore cannot immediately send the compliance information, the compliance information is sent on reconnection.
You can monitor the results of the configuration baseline evaluation compliance from the Desired Configuration Management home page in the Configuration Manager console. You can also run a number of desired configuration management reports to obtain details, such as which computers are compliant or non-compliant and which element of the configuration baseline is causing a computer to be non-compliant. You can also view compliance evaluation results from the client itself by using the Configurations tab from Configuration Manager Properties dialog box.
You can use desired configuration management to support the following business requirements:
- Compare the configuration of computers in
your enterprise against Best Practices configurations from
Microsoft and other vendors.
- Verify the configuration of provisioned
computers against one or more custom defined configuration
baselines before the computers go into production.
- Identify computer configurations that are not
authorized by change control procedures.
- Prioritize non-compliance with three levels
of severity.
- Report compliance with regulatory policies
and in-house security policies.
- Identify security vulnerabilities, as defined
by Microsoft and other software vendors, across your
enterprise.
- Provide the help desk with the means to
detect probable causes for reported incidents and problems by
identifying non-compliant configurations.
- Remediate non-compliance with software
distribution that targets computers with software packages or
scripts by using a collection that is automatically populated with
computers reporting non-compliance.
- Take advantage of management products that
monitor Windows events on computers to take automatic action when a
configuration is reported out of compliance.
- Use the Desired Configuration Management
dashboard to identify required and prohibited configurations and
report compliance against those definitions.
| Note |
|---|
| For information about using desired configuration management in System Center 2012 R2 Configuration Manager, see http://go.microsoft.com/fwlink/?LinkId=103835. |
Configuration Baselines
Baselines are used to define the configuration of a product or system established at a specific point in time, capturing both structure and details. Configuration baselines in Configuration Manager contain a defined set of desired configurations that are evaluated for compliance as a group.
Configuration baselines contain one or more configuration items with associated rules, and they are assigned to computers through collections, together with a compliance evaluation schedule.
| Note |
|---|
| Although you can assign configuration baselines to a collection that contains users, the configuration baselines are evaluated only by computers in the collection, and not by users in the collection. |
You can create your own configuration baselines with the System Center 2012 R2 Configuration Manager console, and you can import configuration baselines from the following sources:
- A Best Practice configuration baseline from
Microsoft or other vendors
- Custom authored configuration baselines from
within your own organization, but external to Configuration
Manager
- Another Configuration Manager site
Configuration Items
Configuration items define a discrete unit of configuration to assess for compliance. They can contain one or more elements and their validation criteria, and they typically define a unit of configuration you want to monitor at the level of independent change.
Configuration items are the building blocks for configuration baselines, and consequently the same configuration item can be used in multiple configuration baselines.
Configuration Manager supports the following configuration item types:
- Operating system configuration item
- A configuration item to determine compliance for settings that relate to the operating system version and configuration.
- Application configuration item
- A configuration item to determine compliance for an application. This can include whether the application is installed in addition to details about its configuration.
- General configuration item
- A configuration item to determine compliance for general settings and objects, where their existence does not depend on the operating system, an application, or a software update.
- Software updates configuration item
- A configuration item to determine compliance of software updates by using the software updates feature in Configuration Manager.
Configuration Categories
Configuration categories offer an optional method of sorting and filtering configuration baselines and configuration items within the Configuration Manager console, and in Configuration Manager reports. Using configuration categories can be particularly useful when you have many configuration items and configuration baselines to manage.
Both configuration items and configuration baselines in Configuration Manager share the same configuration categories and have the following default categories, which are examples:
- Client
- IT Infrastructure
- Line of Business
- Server
You cannot rename the examples or categories, but you can delete them and add your own configuration categories. Configuration items and configuration baselines can belong to more than one configuration category at a time.
Configuration categories appear only in the Configuration Manager console, and in Configuration Manager reports. Configuration categories do not appear on the client Configurations tab or in reports that are generated from the client with the View Report button. Also, the category information is not included when you export configuration data to a file. However, configuration categories that are created in a parent site are inherited by a child site, and configuration data that is inherited from a parent site retains its configuration category information from the parent site.
Non-Compliance Severity Level
The non-compliance severity level allows you to rate the severity of the non-compliance status so that you can prioritize attention and remedial action. It can be configured for two purposes:
- When an object or setting within a
configuration item is not present on the client computer.
- When an object or setting within a
configuration item is present on the client computer but fails the
validation criteria.
Because you can have many objects or settings within a single configuration item, each with their own non-compliance severity level, the client's compliance evaluation for that configuration item records the highest non-compliant severity level. Similarly, because a configuration baseline typically contains a number of configuration items, the client's compliance evaluation for the configuration baseline will record the highest non-compliant severity level reported by the configuration items it contains.
These non-compliance details are reported to the site in state messages. In addition, clients send status messages when the compliance status of a configuration item or configuration baseline changes from one compliance status to another, for example, from unknown to compliant or from compliant to non-compliant on re-evaluation.
Non-compliance severity levels are also used to produce Microsoft Windows application event messages. These can be displayed on the client computer and collected by management products such as Microsoft System Center Operations Manager 2007. Management products can often be configured to take automatic action on the collected Windows events if they match defined criteria. For example, you could run automatic scripts if critical servers reported non-compliance, or you could send an e-mail to administrators to warn them about a desktop that is not configured correctly.
The non-compliance severity level can be configured with the following options:
- None: Computers that are not compliant
with one or more of the objects or settings in the configuration
item (either not present or present but fail the validation
criteria) do not log a Windows application event message. Computers
send a state message and status message with the non-compliant
severity level of None.
- Informational: Computers that are not
compliant with one or more of the objects or settings in the
configuration item (either not present or present but fail the
validation criteria) log a Windows application event message of the
type Informational. State messages and status messages that are
sent by the client have the non-compliant severity level of
Informational.
- Warning: Computers that are not
compliant with one or more of the objects or settings in the
configuration item (either not present or present but fail the
validation criteria) log a Windows application event message of the
type Warning. State messages and status messages sent by the client
have the non-compliant severity level of Warning.
- Error: Computers that are not
compliant with one or more of the objects or settings in the
configuration item (either not present or present but fail the
validation criteria) log a Windows application event message of the
type Error. State messages and status messages sent by the client
have the non-compliant severity level of Error.
In addition to using the Windows application events, you can use the status messages in System Center 2012 R2 Configuration Manager to filter on non-compliance results in the Desired Configuration Management home page, in reports, and in queries.
Validation Criteria
The validation criteria define how objects and settings within a configuration item are considered compliant or non-compliant. For example, a registry key setting can be considered compliant if it is a set value or a range of values that you consider acceptable. The validation criteria that you can specify depends on the data type of the object property or setting.
Additionally, you can validate the Windows security permissions on registry key objects and on file or folder objects. Permissions can be validated exclusively or non-exclusively. Exclusive validation on permissions means that permissions and groups or users that are not specified result in a non-compliance status. Non-exclusive validation on permissions means that permissions and groups or users that are not specified are not included when assessing compliance.
Compliance Evaluation Schedules
Assigned configuration baselines are evaluated by clients on a defined schedule, even if the computer is not connected to the network. A site has a default compliance evaluation schedule that can be overridden for each configuration baseline assignment. The specified time is evaluated in the client's local time.
As with other schedules within Configuration Manager, the compliance evaluation schedules can be configured as a simple schedule (such as every 6 hours) or a custom schedule (such as every Sunday at 2:00 A.M.).