Desired configuration management in Microsoft System Center Configuration Manager 2007 allows you to assess the compliance of computers with regard to a number of configurations, such as whether all required applications are installed and configured correctly. You can also assess whether optional applications are installed and configured appropriately and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.
Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define how they should be defined for compliance. Configuration baselines can be imported from the Web as Best Practices, defined within Configuration Manager 2007, or defined externally and then imported into Configuration Manager.
|Download configuration data that has been published by Microsoft and other software vendors and solution providers as Best Practices configurations is available from the Microsoft Configuration Data Download Web site.|
After a configuration baseline is defined, it can be assigned to computers through collections and evaluated on a schedule. Client computers can have multiple configuration baselines assigned to them, which provides for precise administration. Client computers evaluate their compliance with each configuration baseline and report back the results to the site. If the client is not connected to the network and therefore cannot immediately send the compliance information, the compliance information is sent on reconnection.
You can monitor the results of the configuration baseline evaluation compliance from the Desired Configuration Management home page in the Configuration Manager console. You can also run a number of desired configuration management reports to obtain details, such as which computers are compliant or non-compliant and which element of the configuration baseline is causing a computer to be non-compliant. You can also view compliance evaluation results from the client itself by using the Configurations tab from Configuration Manager Properties dialog box.
You can use desired configuration management to support the following business requirements:
- Compare the configuration of computers in your enterprise
against Best Practices configurations from Microsoft and other
- Verify the configuration of provisioned computers against one
or more custom defined configuration baselines before the computers
go into production.
- Identify computer configurations that are not authorized by
change control procedures.
- Prioritize non-compliance with three levels of severity.
- Report compliance with regulatory policies and in-house
- Identify security vulnerabilities, as defined by Microsoft and
other software vendors, across your enterprise.
- Provide the help desk with the means to detect probable causes
for reported incidents and problems by identifying non-compliant
- Remediate non-compliance with software distribution that
targets computers with software packages or scripts by using a
collection that is automatically populated with computers reporting
- Take advantage of management products that monitor Windows
events on computers to take automatic action when a configuration
is reported out of compliance.
- Use the Desired Configuration Management dashboard to identify
required and prohibited configurations and report compliance
against those definitions.
Baselines are used to define the configuration of a product or system established at a specific point in time, capturing both structure and details. Configuration baselines in Configuration Manager contain a defined set of desired configurations that are evaluated for compliance as a group.
Configuration baselines contain one or more configuration items with associated rules, and they are assigned to computers through collections, together with a compliance evaluation schedule.
|Although you can assign configuration baselines to a collection that contains users, the configuration baselines are evaluated only by computers in the collection, and not by users in the collection.|
You can create your own configuration baselines with the Configuration Manager 2007 console, and you can import configuration baselines from the following sources:
- A Best Practice configuration baseline from Microsoft or other
- Custom authored configuration baselines from within your own
organization, but external to Configuration Manager
- Another Configuration Manager site
Configuration items define a discrete unit of configuration to assess for compliance. They can contain one or more elements and their validation criteria, and they typically define a unit of configuration you want to monitor at the level of independent change.
Configuration items are the building blocks for configuration baselines, and consequently the same configuration item can be used in multiple configuration baselines.
Configuration Manager supports the following configuration item types:
- Operating system configuration item
- A configuration item to determine compliance for settings that relate to the operating system version and configuration.
- Application configuration item
- A configuration item to determine compliance for an application. This can include whether the application is installed in addition to details about its configuration.
- General configuration item
- A configuration item to determine compliance for general settings and objects, where their existence does not depend on the operating system, an application, or a software update.
- Software updates configuration item
- A configuration item to determine compliance of software updates by using the software updates feature in Configuration Manager.
Configuration categories offer an optional method of sorting and filtering configuration baselines and configuration items within the Configuration Manager console, and in Configuration Manager reports. Using configuration categories can be particularly useful when you have many configuration items and configuration baselines to manage.
Both configuration items and configuration baselines in Configuration Manager share the same configuration categories and have the following default categories, which are examples:
- IT Infrastructure
- Line of Business
You cannot rename the examples or categories, but you can delete them and add your own configuration categories. Configuration items and configuration baselines can belong to more than one configuration category at a time.
Configuration categories appear only in the Configuration Manager console, and in Configuration Manager reports. Configuration categories do not appear on the client Configurations tab or in reports that are generated from the client with the View Report button. Also, the category information is not included when you export configuration data to a file. However, configuration categories that are created in a parent site are inherited by a child site, and configuration data that is inherited from a parent site retains its configuration category information from the parent site.
Non-Compliance Severity Level
The non-compliance severity level allows you to rate the severity of the non-compliance status so that you can prioritize attention and remedial action. It can be configured for two purposes:
- When an object or setting within a configuration item is not
present on the client computer.
- When an object or setting within a configuration item is
present on the client computer but fails the validation
Because you can have many objects or settings within a single configuration item, each with their own non-compliance severity level, the client's compliance evaluation for that configuration item records the highest non-compliant severity level. Similarly, because a configuration baseline typically contains a number of configuration items, the client's compliance evaluation for the configuration baseline will record the highest non-compliant severity level reported by the configuration items it contains.
These non-compliance details are reported to the site in state messages. In addition, clients send status messages when the compliance status of a configuration item or configuration baseline changes from one compliance status to another, for example, from unknown to compliant or from compliant to non-compliant on re-evaluation.
Non-compliance severity levels are also used to produce Microsoft Windows application event messages. These can be displayed on the client computer and collected by management products such as Microsoft System Center Operations Manager 2007. Management products can often be configured to take automatic action on the collected Windows events if they match defined criteria. For example, you could run automatic scripts if critical servers reported non-compliance, or you could send an e-mail to administrators to warn them about desktop that is not configured correctly.
The non-compliance severity level can be configured with the following options:
- None: Computers that are not compliant with one or more
of the objects or settings in the configuration item (either not
present or present but fail the validation criteria) do not log a
Windows application event message. Computers send a state message
and status message with the non-compliant severity level of
- Informational: Computers that are not compliant with one
or more of the objects or settings in the configuration item
(either not present or present but fail the validation criteria)
log a Windows application event message of the type Informational.
State messages and status messages that are sent by the client have
the non-compliant severity level of Informational.
- Warning: Computers that are not compliant with one or
more of the objects or settings in the configuration item (either
not present or present but fail the validation criteria) log a
Windows application event message of the type Warning. State
messages and status messages sent by the client have the
non-compliant severity level of Warning.
- Error: Computers that are not compliant with one or more
of the objects or settings in the configuration item (either not
present or present but fail the validation criteria) log a Windows
application event message of the type Error. State messages and
status messages sent by the client have the non-compliant severity
level of Error.
In addition to using the Windows application events, you can use the status messages in Configuration Manager 2007 to filter on non-compliance results in the Desired Configuration Management home page, in reports, and in queries.
The validation criteria define how objects and settings within a configuration item are considered compliant or non-compliant. For example, a registry key setting can be considered compliant if it is a set value or a range of values that you consider acceptable. The validation criteria that you can specify depends on the data type of the object property or setting.
Additionally, you can validate the Windows security permissions on registry key objects and on file or folder objects. Permissions can be validated exclusively or non-exclusively. Exclusive validation on permissions means that permissions and groups or users that are not specified result in a non-compliance status. Non-exclusive validation on permissions means that permissions and groups or users that are not specified are not included when assessing compliance.
Compliance Evaluation Schedules
Assigned configuration baselines are evaluated by clients on a defined schedule, even if the computer is not connected to the network. A site has a default compliance evaluation schedule that can be overridden for each configuration baseline assignment. The specified time is evaluated in the client's local time.
As with other schedules within Configuration Manager, the compliance evaluation schedules can be configured as a simple schedule (such as every 6 hours) or a custom schedule (such as every Sunday at 2 A.M.).
Send comments about this topic to Microsoft.