With Configuration Manager 2007 Desired Configuration Management (DCM), organizations can ensure that IT systems comply with desired configuration states to improve systems availability, security, and performance network-wide.
Desired configuration management in Configuration Manager allows you to assess the compliance of computers with regard to a set of established configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, all required applications are installed and configured correctly, optional applications are configured appropriately, and whether prohibited applications are installed.
Additionally, you can check for compliance with software updates and security settings. Desired Configuration Management reduces problems associated with configuration drift giving IT administrators a means to manage systems proactively for configuration compliance against established standards.
Compliance is evaluated by defining a configuration baseline that contains the configuration items to monitor, and rules that define the compliance that requires. This configuration data can be imported from the Web in the form of Configuration Manager Configuration Packs, defined within Configuration Manager, or defined externally and then imported into Configuration Manager.
Microsoft Configuration Packs are created by the Microsoft application and operating system development teams for the most frequently deployed Microsoft enterprise applications and Windows server components to provide unique best practice configuration knowledge. This knowledge also comes in the form of Configuration Packs from third party vendors for popular enterprise applications.
IT administrators can leverage these configuration standards and build their own configuration baselines to build configuration knowledge appropriate to their environment.
Once IT administrators define configuration baselines that may support their security or compliance efforts, they can use the Desired Configuration Management dashboard to identify required and prohibited configurations for, and report compliance against, those definitions quickly and easily. New reporting capabilities with drill-down functionality provide both overall compliance reports and troubleshooting reports. When systems do drift from desired configuration states, IT administrators can quickly remediate non-compliance by deploying software, scripts, updates, or task-sequences against identified collections.
With Desired Configuration Management, enterprises can:
Use defined configuration baselines to validate the configuration of recently provisioned IT systems before putting it into production.
Audit and report compliance with in-house security policies.
Identify potential security vulnerabilities, as defined by Microsoft and other software vendors.
Reduce time to resolution for help desk calls with tools and processes to detect the likely causes for reported incidents through identification of non-compliant configurations.
Remediate non-compliance with these configuration baselines by using a collection, which automatically populates with systems reporting non-compliance, to target systems with software packages or scripts.
