Desired configuration management in Configuration Manager 2007 allows you to assess the compliance of computers with regard to a number of configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.
Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define the compliance that you require. This configuration data can be imported from the Web in Microsoft System Center Configuration Manager 2007 Configuration Packs as best practices defined by Microsoft and other vendors, or defined within Configuration Manager, or defined externally and then imported into Configuration Manager.
 Note |
|---|
| Download configuration data that has been published by Microsoft and other software vendors and solution providers from the Microsoft System Center Configuration Manager 2007 Configuration Packs Web page (http://go.microsoft.com/fwlink/?LinkId=71837). |
After a configuration baseline is defined, it can be assigned to computers through collections and evaluated on a schedule. Client computers can have multiple configuration baselines assigned to them, which provides the administrator with a high level of control.
Client computers evaluate their compliance against each configuration baseline they are assigned and immediately report back the results to the site using state messages and status messages. If a client is not currently connected to the network but has downloaded the configuration items referenced in its assigned configuration baselines, the compliance information will be sent on reconnection.
You can monitor the results of the configuration baseline evaluation compliance from the Desired Configuration Management home page in the Configuration Manager console. You can also run a number of desired configuration management reports to drill down into details, such as which computers are compliant or non-compliant and which element of the configuration baseline is causing a computer to be non-compliant. You can also view compliance evaluation results from the client itself by using the Configurations tab from Configuration Manager Properties.
You can use desired configuration management to support the following business requirements:
- Compare the configuration of computers in
your enterprise against Best Practices configurations from
Microsoft and other vendors.
- Verify the configuration of provisioned
computers against one or more custom defined configuration
baselines before the computers go into production.
- Identify computer configurations that are not
authorized by change control procedures.
- Prioritize non-compliance with four levels of
severity.
- Report compliance with regulatory policies
and in-house security policies.
- Identify security vulnerabilities, as defined
by Microsoft and other software vendors, across your
enterprise.
- Provide the help desk with the means to
detect probable causes for reported incidents and problems by
identifying non-compliant configurations.
- Remediate non-compliance with software
distribution that targets computers with software packages or
scripts by using a collection that is automatically populated with
computers reporting non-compliance.
- Leverage management products that monitor
Windows events on computers to take automatic action when a
configuration is reported out of compliance.
For example scenarios of how desired configuration management can be implemented to address these requirements, see Example Scenarios for Implementing Desired Configuration Management.
| Note |
|---|
| For information about using the Configuration Manager 2007 Software Development Kit to script and develop software for this feature, see http://go.microsoft.com/fwlink/?LinkID=129521. |
In This Section
Click any link in the following section for overview information about desired configuration management.
- About Configuration Baselines in Desired Configuration Management
- Provides information about configuration baselines, and explains how they are used in desired configuration management.
- About Configuration Items in Desired Configuration Management
- Provides information about configuration items, and explains how they are used in desired configuration management.
- About Compliance and Compliance Information in Desired Configuration Management
- Provides information about how compliance is evaluated to help you interpret the desired configuration management reports.
- About Content Versions in Desired Configuration Management
- Provides information about content versions in configuration baselines and configuration items, to help you interpret information in the Configuration Manager console and in reports.
- About Configuration Categories in Desired Configuration Management
- Provides information about configuration categories and when to use them with desired configuration management.
- About Authoring Configuration Data for Desired Configuration Management
- Provides information about creating configuration baselines and configuration items, and explains the different options for authoring.
- About the Non-Compliance Severity Level in Desired Configuration Management
- Provides information about the non-compliance severity level, and explains how to use it with desired configuration management.
- About Validation Criteria in Desired Configuration Management
- Provides information about how objects and settings are validated for compliance with desired configuration management.
- About Compliance Evaluation Schedules in Desired Configuration Management
- Provides information about how often computers are assessed for compliance with desired configuration management, and explains how to modify this configuration.
- About Reports for Desired Configuration Management
- Lists the reports that are available to report compliance information, and help manage and troubleshoot desired configuration management.
- About Desired Configuration Management in Configuration Manager Hierarchies
- Explains how desired configuration management works if you have a multiple site Configuration Manager hierarchy.
- About Forefront Client Security Integration with Configuration Manager 2007 R2
- Explains how desired configuration management can monitor the Forefront Client components.
- Desired Configuration Management Administrator Workflows
- Lists the administrator workflows that are available to help you use imported best practices configuration data from Microsoft® System Center Configuration Manager 2007 Configuration Packs.
- Desired Configuration Management Checklists
- Lists the administrator checklists that are available to help you use imported best practices configuration data from Microsoft® System Center Configuration Manager 2007 Configuration Packs.
See Also
Concepts
Desired Configuration Management Security Best Practices and Privacy InformationOther Resources
Planning for Desired Configuration ManagementConfiguring Desired Configuration Management
Tasks for Desired Configuration Management
Troubleshooting Desired Configuration Management
Technical Reference for Desired Configuration Management