Desired Configuration Management Overview
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Desired configuration management in Microsoft System Center Configuration Manager 2007 allows you to assess the compliance of computers with regard to a number of configurations, such as whether all required applications are installed and configured correctly. You can also assess whether optional applications are installed and configured appropriately and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.
Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define how they should be defined for compliance. Configuration baselines can be imported from the Web as Best Practices, defined within Configuration Manager 2007, or defined externally and then imported into Configuration Manager.
Note
Download configuration data that has been published by Microsoft and other software vendors and solution providers as Best Practices configurations is available from the Microsoft Configuration Data Download Web site.
After a configuration baseline is defined, it can be assigned to computers through collections and evaluated on a schedule. Client computers can have multiple configuration baselines assigned to them, which provides for precise administration. Client computers evaluate their compliance with each configuration baseline and report back the results to the site. If the client is not connected to the network and therefore cannot immediately send the compliance information, the compliance information is sent on reconnection.
You can monitor the results of the configuration baseline evaluation compliance from the Desired Configuration Management home page in the Configuration Manager console. You can also run a number of desired configuration management reports to obtain details, such as which computers are compliant or non-compliant and which element of the configuration baseline is causing a computer to be non-compliant. You can also view compliance evaluation results from the client itself by using the Configurations tab from Configuration Manager Properties dialog box.
You can use desired configuration management to support the following business requirements:
Compare the configuration of computers in your enterprise against Best Practices configurations from Microsoft and other vendors.
Verify the configuration of provisioned computers against one or more custom defined configuration baselines before the computers go into production.
Identify computer configurations that are not authorized by change control procedures.
Prioritize non-compliance with three levels of severity.
Report compliance with regulatory policies and in-house security policies.
Identify security vulnerabilities, as defined by Microsoft and other software vendors, across your enterprise.
Provide the help desk with the means to detect probable causes for reported incidents and problems by identifying non-compliant configurations.
Remediate non-compliance with software distribution that targets computers with software packages or scripts by using a collection that is automatically populated with computers reporting non-compliance.
Take advantage of management products that monitor Windows events on computers to take automatic action when a configuration is reported out of compliance.
Use the Desired Configuration Management dashboard to identify required and prohibited configurations and report compliance against those definitions.
Note
For information about using desired configuration management in Configuration Manager 2007, see https://go.microsoft.com/fwlink/?LinkId=103835.
Configuration Baselines
Baselines are used to define the configuration of a product or system established at a specific point in time, capturing both structure and details. Configuration baselines in Configuration Manager contain a defined set of desired configurations that are evaluated for compliance as a group.
Configuration baselines contain one or more configuration items with associated rules, and they are assigned to computers through collections, together with a compliance evaluation schedule.
Note
Although you can assign configuration baselines to a collection that contains users, the configuration baselines are evaluated only by computers in the collection, and not by users in the collection.
You can create your own configuration baselines with the Configuration Manager 2007 console, and you can import configuration baselines from the following sources:
A Best Practice configuration baseline from Microsoft or other vendors
Custom authored configuration baselines from within your own organization, but external to Configuration Manager
Another Configuration Manager site
Configuration Items
Configuration items define a discrete unit of configuration to assess for compliance. They can contain one or more elements and their validation criteria, and they typically define a unit of configuration you want to monitor at the level of independent change.
Configuration items are the building blocks for configuration baselines, and consequently the same configuration item can be used in multiple configuration baselines.
Configuration Manager supports the following configuration item types:
- Operating system configuration item
A configuration item to determine compliance for settings that relate to the operating system version and configuration.
- Application configuration item
A configuration item to determine compliance for an application. This can include whether the application is installed in addition to details about its configuration.
- General configuration item
A configuration item to determine compliance for general settings and objects, where their existence does not depend on the operating system, an application, or a software update.
- Software updates configuration item
A configuration item to determine compliance of software updates by using the software updates feature in Configuration Manager.
Configuration Categories
Configuration categories offer an optional method of sorting and filtering configuration baselines and configuration items within the Configuration Manager console, and in Configuration Manager reports. Using configuration categories can be particularly useful when you have many configuration items and configuration baselines to manage.
Both configuration items and configuration baselines in Configuration Manager share the same configuration categories and have the following default categories, which are examples:
Client
IT Infrastructure
Line of Business
Server
You cannot rename the examples or categories, but you can delete them and add your own configuration categories. Configuration items and configuration baselines can belong to more than one configuration category at a time.
Configuration categories appear only in the Configuration Manager console, and in Configuration Manager reports. Configuration categories do not appear on the client Configurations tab or in reports that are generated from the client with the View Report button. Also, the category information is not included when you export configuration data to a file. However, configuration categories that are created in a parent site are inherited by a child site, and configuration data that is inherited from a parent site retains its configuration category information from the parent site.
Non-Compliance Severity Level
The non-compliance severity level allows you to rate the severity of the non-compliance status so that you can prioritize attention and remedial action. It can be configured for two purposes:
When an object or setting within a configuration item is not present on the client computer.
When an object or setting within a configuration item is present on the client computer but fails the validation criteria.
Because you can have many objects or settings within a single configuration item, each with their own non-compliance severity level, the client's compliance evaluation for that configuration item records the highest non-compliant severity level. Similarly, because a configuration baseline typically contains a number of configuration items, the client's compliance evaluation for the configuration baseline will record the highest non-compliant severity level reported by the configuration items it contains.
These non-compliance details are reported to the site in state messages. In addition, clients send status messages when the compliance status of a configuration item or configuration baseline changes from one compliance status to another, for example, from unknown to compliant or from compliant to non-compliant on re-evaluation.
Non-compliance severity levels are also used to produce Microsoft Windows application event messages. These can be displayed on the client computer and collected by management products such as Microsoft System Center Operations Manager 2007. Management products can often be configured to take automatic action on the collected Windows events if they match defined criteria. For example, you could run automatic scripts if critical servers reported non-compliance, or you could send an e-mail to administrators to warn them about a desktop that is not configured correctly.
The non-compliance severity level can be configured with the following options:
None: Computers that are not compliant with one or more of the objects or settings in the configuration item (either not present or present but fail the validation criteria) do not log a Windows application event message. Computers send a state message and status message with the non-compliant severity level of None.
Informational: Computers that are not compliant with one or more of the objects or settings in the configuration item (either not present or present but fail the validation criteria) log a Windows application event message of the type Informational. State messages and status messages that are sent by the client have the non-compliant severity level of Informational.
Warning: Computers that are not compliant with one or more of the objects or settings in the configuration item (either not present or present but fail the validation criteria) log a Windows application event message of the type Warning. State messages and status messages sent by the client have the non-compliant severity level of Warning.
Error: Computers that are not compliant with one or more of the objects or settings in the configuration item (either not present or present but fail the validation criteria) log a Windows application event message of the type Error. State messages and status messages sent by the client have the non-compliant severity level of Error.
In addition to using the Windows application events, you can use the status messages in Configuration Manager 2007 to filter on non-compliance results in the Desired Configuration Management home page, in reports, and in queries.
Validation Criteria
The validation criteria define how objects and settings within a configuration item are considered compliant or non-compliant. For example, a registry key setting can be considered compliant if it is a set value or a range of values that you consider acceptable. The validation criteria that you can specify depends on the data type of the object property or setting.
Additionally, you can validate the Windows security permissions on registry key objects and on file or folder objects. Permissions can be validated exclusively or non-exclusively. Exclusive validation on permissions means that permissions and groups or users that are not specified result in a non-compliance status. Non-exclusive validation on permissions means that permissions and groups or users that are not specified are not included when assessing compliance.
Compliance Evaluation Schedules
Assigned configuration baselines are evaluated by clients on a defined schedule, even if the computer is not connected to the network. A site has a default compliance evaluation schedule that can be overridden for each configuration baseline assignment. The specified time is evaluated in the client's local time.
As with other schedules within Configuration Manager, the compliance evaluation schedules can be configured as a simple schedule (such as every 6 hours) or a custom schedule (such as every Sunday at 2:00 A.M.).
See Also
Concepts
System Center Configuration Manager Software Development Kit
Configuration Manager Desired Configuration Management