Topic Last Updated—August 2008

This step-by-step guide contains procedures to guide you through the process of using desired configuration management to author configuration items in Configuration Manager 2007 by using the Configuration Manager console.

The three procedures in this guide provide examples of authoring each type of configuration item:

After you have successfully created the configuration items, they can be added to configuration baselines and assigned to clients through Configuration Manager collections. For further information about this process, refer to the following topics in the Configuration Manager 2007 help:

On This Page

Test Network Environment

The guide makes the following assumptions:

  • You are running a functioning Configuration Manager 2007 site with at least one management point.

  • You are logged in with a Windows user account that is a member of the SMS Admins local group on the site server, and this user account has sufficient class security rights to create and modify configuration items. An example of a Windows user account with sufficient rights is the account that was used to install the Configuration Manager 2007 site.

  • The desired configuration management client agent is enabled on the Configuration Manager 2007 site. For details, see the topic Configuring Desired Configuration Management in the Configuration Manager 2007 help.

  • Examples in this guide use the domain name CONTOSO and the Windows user account name Administrator. You can substitute these names with any valid domain name and Windows user account on your test network.

Authoring a General Configuration Item Using the Configuration Manager Console

This procedure guides you through the process of using desired configuration management to author a general configuration item in Configuration Manager 2007.

This example uses a registry setting to determine whether computers are running Internet Explorer 7 and a file or folder object to determine whether users have access to the Internet Explorer plug-ins folder.

To author a general configuration item defining the file or folder object and registry setting to assess for compliance

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Desired Configuration Management.

  2. Expand the Desired Configuration Management node, right-click Configuration Items, click New, and then click General Configuration Item.

  3. On the Identification page of the Create General Configuration Item Wizard, specify the following:

    • Name: Specify a unique and descriptive name for the configuration item, such as Internet Explorer general configuration item.

    • Description: Specify a description for the configuration item, such as This configuration item determines whether client computers are in compliance with the company's Internet Explorer configuration policy.

    • Click Next.

  4. On the Objects page of the Create General Configuration Item Wizard, click New, and then click File or Folder.

  5. In the New File or Folder Properties dialog box, specify the following in the General tab:

    • Type: From the drop-down list, select Folder.

    • Path: Specify the path C:\Program Files\Internet Explorer.

    • File or folder name: Specify the folder name PLUGINS.

    • Name pattern search depth: From the drop-down list, select Specified Path.

    • Description: Specify a description for the file or folder object, such as This file or folder object is used to determine the compliance of the permissions on the folder C:\Program Files\Internet Explorer\PLUGINS.

    • Is this file or folder from a 64-bit application? Select No.

    • Click the Permission tab.

  6. In the Permission tab, specify the following:

    • Select the option Include permissions.

    • Select the option Non-exclusive. This option indicates that any Windows groups or users that are not specified in the permissions list will not be included when the file or folder object is assessed for compliance.

    • Click Add.

  7. In the Enter Group or User Name dialog box, specify the following:

    • Enter the Group or User Name: Enter the Windows user name CONTOSO\Administrator.

    • Select the type of access control for this group or user Select Allow.

    • Click OK.

  8. In the New File or Folder Properties dialog box, in the Permission tab, specify the following:

    • Under Permission, verify that Full Control is selected.

    • Click OK to close the New File or Folder Properties dialog box.

  9. Click Next.

  10. On the Settings page of the Create General Configuration Item Wizard, click New, and then click Registry.

  11. In the New Registry Setting Properties dialog box, specify the following in the General tab:

    • Display Name: Enter a name for the setting, such as Internet Explorer registry key

    • Description: Enter a description for the setting, such as Validates that HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version is equal to 7.0.5600.16384.

    • Hive: From the drop-down list, select HKEY_LOCAL_MACHINE.

    • Key: Specify the key SOFTWARE\Microsoft\Internet Explorer.

    • Value Name: Specify the value Version

    • Is this registry key associated with a 64-bit application? Select No.

    • Click the Validation tab.

  12. In the Validation tab, specify the following:

    • Data Type: From the drop-down list, select String.

    • Select the option Report a non-compliance event when this instance count rule fails.

    • Instance count operator: From the drop-down list select Greater Than.

    • Values: In the Values field, enter 0.

    • Severity: From the drop-down list, select Warning.

    • Under Details, click New.

  13. In the Configure Validation dialog box, specify the following:

    • Name: Enter a name for the validation, such as Registry key version check.

    • Description: Enter a description for the validation, such as Checks that the Internet Explorer version registry key equals 7.0.5600.16384.

    • Operator: From the drop-down list, select Equals.

    • Value: In the Value field, enter 7.0.5600.16384.

    • Click OK to close the Configure Validation dialog box.

  14. Click OK to close the New Registry Setting Properties dialog box.

  15. Click Next.

  16. On the Applicability page of the Create General Configuration Item Wizard, specify the following:

    • Under Windows Platforms, select All Windows Platforms.

    • Click Next.

  17. On the Summary page of the Create General Configuration Item Wizard, review the settings for the configuration item you have created, and then click Next.

  18. View the Progress page of the Create General Configuration Item Wizard. When this is complete, view the summary of actions taken on the Wizard Complete page.

  19. To close the wizard, click Close.

Next Steps

You have now created a general configuration item that can be added to a configuration baseline. For example, to check that client computers have Internet Explorer version 7 installed, and that the Internet Explorer plug-ins folder is correctly configured for security permissions, add this configuration item to a configuration baseline by using the following configuration baseline rule:

  • These application and general configuration items are required and must be properly configured

Authoring an Operating System Configuration Item Using the Configuration Manager Console

This procedure guides you through the process of using desired configuration management to author an operating system configuration item in Configuration Manager 2007 by using the Configuration Manager console.

This operating system configuration item determines whether the client computer operating system is x86 Windows 2003 Server R2.

To author an operating system configuration item to define the Windows version to assess for compliance

  1. In the Configuration Manager Console, navigate to System Center Configuration Manager / Site Database / Computer Management / Desired Configuration Management.

  2. Expand the Desired Configuration Management node, right-click Configuration Items, click New, and then click Operating System Configuration Item.

  3. On the Identification page of the Create Operating System Configuration Item Wizard, specify the following:

    • Name: Specify a unique and descriptive name for the configuration item, such as Windows Server 2003 Operating System Configuration Item.

    • Description: Specify a description for the configuration item, such as This configuration item determines compliance for x86 Microsoft Windows Server 2003 R2.

    • Click Next.

  4. On the Microsoft Windows Version page of the Create Operating System Configuration Item Wizard, specify the following:

    • Select the option Specify Windows version by description.

    • From the drop-down list, select All x86 Windows Server 2003 R2.

    • Click Next.

  5. On the Objects page of the Create Operating System Configuration Item Wizard, click Next.

  6. On the Settings page of the Create Operating System Configuration Item Wizard, click Next.

  7. On the You have successfully completed the wizard page of the Create Operating System Configuration Item Wizard, review the actions to be taken in the Details box, and then click Next.

  8. View the Progress page of the Create Operating System Configuration Item Wizard. When this is complete, view the summary of actions taken on the Wizard Complete page.

  9. To close the wizard, click Close.

Next Steps

You have now created an operating system configuration item that can be added to a configuration baseline. For example, to check that client computers are running Windows Server 2003 R2, you could add this configuration item to a configuration baseline by using the following configuration baseline rule:

  • One of the following operating system configuration items must be present and properly configured

Authoring an Application Configuration Item Using the Configuration Manager Console

This example contains procedures to guide you through the process of using desired configuration management to author an application configuration item in Configuration Manager 2007 by using the Configuration Manager console.

The application configuration item determines whether the program Microsoft Office Communicator 2005 is installed, and it also includes a registry setting to determine whether Microsoft Office 2007 is installed in the correct folder.

To author an application configuration item to define a detection method and setting to assess for compliance

  1. In the Configuration Manager Console, navigate to System Center Configuration Manager / Site Database / Computer Management / Desired Configuration Management.

  2. Expand the Desired Configuration Management node, right-click Configuration Items, click New, and then click Application Configuration Item.

  3. On the Identification page of the Create Application Configuration Item Wizard, specify the following:

    • Name: Specify a unique and descriptive name for the configuration item, such as Microsoft Office Configuration Item.

    • Description: Specify a description for the configuration item, such as This configuration item determines compliance for Microsoft Office.

    • Click Next.

  4. On the Detection Method page of the Create Application Configuration Item Wizard, specify the following:

    • Specify that Windows Installer (MSI) detection should be used to determine whether the application is installed on client computers.

    • Click Open.

    • In the Open dialog box, browse to the Microsoft Office Communicator installation file, Communicator.msi.

    • Click Open to select this file and close the dialog box.

    • Product Code: This field is populated automatically with the Windows Installer product code of the installer file you selected.

    • Version: This field is populated automatically with the version number of the Windows installer file you selected.

    • Click Next.

  5. On the Objects page of the Create Application Configuration Item Wizard, click Next.

  6. On the Settings page of the Create General Configuration Item Wizard, click New, and then click Registry.

  7. In the New Registry Setting Properties dialog box, specify the following in the General tab:

    • Display Name: Enter a name for the setting, such as Microsoft Office 2007 install location

    • Description: Enter a description for the setting, such as Validates that HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Common\InstallRoot is equal to c:\Program Files\Microsoft Office\Office12\.

    • Hive: From the drop-down list, select HKEY_LOCAL_MACHINE.

    • Key: Specify the key SOFTWARE\Microsoft\Office\12.0\Common.

    • Value Name: Specify the value InstallRoot.

    • Is this registry key associated with a 64-bit application? Select No.

    • Click the Validation tab.

  8. In the Validation tab, specify the following:

    • Data Type: From the drop-down list, select String.

    • Select the option Report a non-compliance event when this instance count rule fails.

    • Instance count operator: From the drop-down list select Greater Than.

    • Values: In the Values field, enter 0.

    • Severity: From the drop-down list, select Warning.

    • Under Details, click New.

  9. In the Configure Validation dialog box, specify the following:

    • Name: Enter a name for the validation, such as Office registry key check.

    • Description: Enter a description for the validation, such as Checks that the Office install location is set to c:\Program Files\Microsoft Office\Office12\.

    • Operator: From the drop-down list, select Equals.

    • Value: In the Value field, enter c:\Program Files\Microsoft Office\Office12\.

    • Click OK to close the Configure Validation dialog box.

  10. Click OK to close the New Registry Setting Properties dialog box.

  11. Click Next.

  12. On the Applicability page of the Create Application Configuration Item Wizard, specify the following:

    • Under Windows Platforms, select All Windows Platforms.

    • Click Next.

  13. On the Summary page of the Create Application Configuration Item Wizard, review the actions to be taken in the Details box, and then click Next.

  14. View the Progress page of the Create Application Configuration Item Wizard. When this is complete, view the summary of actions taken on the Wizard Complete page.

  15. To close the wizard, click Close.

Next Steps

You have now created an application configuration item that can be added to a configuration baseline. For example, to check that Microsoft Office Communicator 2005 is installed and that Microsoft Office 2007 is installed in the correct folder, add this configuration item to a configuration baseline by using the following configuration baseline rule:

  • These application and general configuration items are required and must be properly configured

However, if you want to check that only the computers that have Microsoft Office Communicator 2005 installed, have installed Microsoft Office 2007 in the correct folder, add this application configuration item to a configuration baseline by using the following configuration baseline rule:

  • If these optional application configuration items are detected, they must be properly configured

  • You can also use this application configuration item to check that computers do not have Microsoft Office Communicator 2005 by adding this configuration item to a configuration baseline using the following configuration baseline rule:

  • These application configuration items must not be present

See Also