Overview of Desired Configuration Management

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Desired configuration management in Configuration Manager 2007 allows you to assess the compliance of computers with regard to a number of configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.

Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define the compliance that you require. This configuration data can be imported from the Web in Microsoft System Center Configuration Manager 2007 Configuration Packs as best practices defined by Microsoft and other vendors, or defined within Configuration Manager, or defined externally and then imported into Configuration Manager.

Note

Download configuration data that has been published by Microsoft and other software vendors and solution providers from the Microsoft System Center Configuration Manager 2007 Configuration Packs Web page (http://go.microsoft.com/fwlink/?LinkId=71837).

After a configuration baseline is defined, it can be assigned to computers through collections and evaluated on a schedule. Client computers can have multiple configuration baselines assigned to them, which provides the administrator with a high level of control.

Client computers evaluate their compliance against each configuration baseline they are assigned and immediately report back the results to the site using state messages and status messages. If a client is not currently connected to the network but has downloaded the configuration items referenced in its assigned configuration baselines, the compliance information will be sent on reconnection.

You can monitor the results of the configuration baseline evaluation compliance from the Desired Configuration Management home page in the Configuration Manager console. You can also run a number of desired configuration management reports to drill down into details, such as which computers are compliant or non-compliant and which element of the configuration baseline is causing a computer to be non-compliant. You can also view compliance evaluation results from the client itself by using the Configurations tab from Configuration Manager Properties.

You can use desired configuration management to support the following business requirements:

  • Compare the configuration of computers in your enterprise against Best Practices configurations from Microsoft and other vendors.

  • Verify the configuration of provisioned computers against one or more custom defined configuration baselines before the computers go into production.

  • Identify computer configurations that are not authorized by change control procedures.

  • Prioritize non-compliance with four levels of severity.

  • Report compliance with regulatory policies and in-house security policies.

  • Identify security vulnerabilities, as defined by Microsoft and other software vendors, across your enterprise.

  • Provide the help desk with the means to detect probable causes for reported incidents and problems by identifying non-compliant configurations.

  • Remediate non-compliance with software distribution that targets computers with software packages or scripts by using a collection that is automatically populated with computers reporting non-compliance.

  • Leverage management products that monitor Windows events on computers to take automatic action when a configuration is reported out of compliance.

For example scenarios of how desired configuration management can be implemented to address these requirements, see Example Scenarios for Implementing Desired Configuration Management.

Note

For information about using the Configuration Manager 2007 Software Development Kit to script and develop software for this feature, see http://go.microsoft.com/fwlink/?LinkID=129521.

In This Section

Click any link in the following section for overview information about desired configuration management.

  • Desired Configuration Management Checklists
    Lists the administrator checklists that are available to help you use imported best practices configuration data from Microsoft® System Center Configuration Manager 2007 Configuration Packs.

See Also

Concepts

Desired Configuration Management Security Best Practices and Privacy Information

Other Resources

Planning for Desired Configuration Management
Configuring Desired Configuration Management
Tasks for Desired Configuration Management
Troubleshooting Desired Configuration Management
Technical Reference for Desired Configuration Management

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.