Desired configuration management in Configuration Manager 2007 allows you to assess the compliance of computers with regard to a number of configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.

Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define the compliance that you require. This configuration data can be imported from the Web in Microsoft System Center Configuration Manager 2007 Configuration Packs as best practices defined by Microsoft and other vendors, or defined within Configuration Manager, or defined externally and then imported into Configuration Manager.

Note
Download configuration data that has been published by Microsoft and other software vendors and solution providers from the Microsoft System Center Configuration Manager 2007 Configuration Packs Web page (http://go.microsoft.com/fwlink/?LinkId=71837).

After a configuration baseline is defined, it can be assigned to computers through collections and evaluated on a schedule. Client computers can have multiple configuration baselines assigned to them, which provides the administrator with a high level of control.

Client computers evaluate their compliance against each configuration baseline they are assigned and immediately report back the results to the site using state messages and status messages. If a client is not currently connected to the network but has downloaded the configuration items referenced in its assigned configuration baselines, the compliance information will be sent on reconnection.

You can monitor the results of the configuration baseline evaluation compliance from the Desired Configuration Management home page in the Configuration Manager console. You can also run a number of desired configuration management reports to drill down into details, such as which computers are compliant or non-compliant and which element of the configuration baseline is causing a computer to be non-compliant. You can also view compliance evaluation results from the client itself by using the Configurations tab from Configuration Manager Properties.

You can use desired configuration management to support the following business requirements:

• Compare the configuration of computers in your enterprise against Best Practices configurations from Microsoft and other vendors.
  
• Verify the configuration of provisioned computers against one or more custom defined configuration baselines before the computers go into production.
  
• Identify computer configurations that are not authorized by change control procedures.
  
• Prioritize non-compliance with four levels of severity.
  
• Report compliance with regulatory policies and in-house security policies.
  
• Identify security vulnerabilities, as defined by Microsoft and other software vendors, across your enterprise.
  
• Provide the help desk with the means to detect probable causes for reported incidents and problems by identifying non-compliant configurations.
  
• Remediate non-compliance with software distribution that targets computers with software packages or scripts by using a collection that is automatically populated with computers reporting non-compliance.
  
• Leverage management products that monitor Windows events on computers to take automatic action when a configuration is reported out of compliance.
  

For example scenarios of how desired configuration management can be implemented to address these requirements, see Example Scenarios for Implementing Desired Configuration Management.

In This Section

See Also