What is Desired Configuration Management (DCM)?
DCM is a feature in SCCM that will provide a framework for assisting organizations in both defining and enforcing corporate policies and standards for system configurations, whether related to the operating system or an application installed on the system.
Feature include authoring and scheduling, model-based design leveraging Service Modeling Language (SML) (a component of Microsoft's Dynamic Systems Initiative) which makes the features we're about to discuss possible.
Some of the key scenarios that drove the features Microsoft delivered in the final release of DCM include:
Regulatory Compliance - demonstrating regulatory compliance in system configurations. Not only deploying a compliant standard system configuration, but being able to periodically prove adherence to these policies.
Pre and post change configuration - Verify that no unplanned changes took place during the implementation of a planned change.
Monitoring for "drift" - Verify that new systems are built in accordance to the planned role in your infrastructure, and monitoring for human error and misconfiguration in day-to-day administration. Ensuring corporate policies are implemented in base machine builds and maintained over time.
Streamline Support - Incorporating DCM reporting into the troubleshooting process to drive down time to resolution and overall support costs.
The bottom line - DCM monitors your systems actual configuration against a "desired configuration" model and identifies policies that have drifted outside this policy.
3 key concepts: Configuration Items, Configuration Baselines, and Configuration Packs.
The smallest unit of measure in the DCM model is the Configuration Item (CI). Configuration Items represent a desired object or setting or value on a client or within an application. Configuration items can include registry values, objects on the file system (files, folders) and attributes (firewall settings, NTFS permissions), as well data retrieved via scripts. The Configuration Items fall into one of the following categories:
Application CI - Settings within an application like MS Word, Exchange, or SQL Server.
OS CI - Representing a specific operating system object or setting.
General CI - General settings related to corporate policies like corporate security policy, Sarbanes-Oxley, etc.
These configuration items are reusable, and can be grouped into multiple, logical collections of settings known as a Configuration Baselines, which represent your base unit of management in DCM. Within the configuration baseline, you can define mandatory, optional and prohibited configuration items.?
Configuration Baselines will generally be constructed to map to machine roles (a type or class of system), such as Domain Controller, Exchange 2003 Server, SQL Database Server. Creating all the configuration items for configuration baseline for something like Exchange is time consuming and the use of Configuration Packs comes in. Configuration Packs are pre-defined configuration baselines (templates so to speak) created by Microsoft and 3rd parties representing best practice configuration for common OS and server applications. Configuration packs are designed to be used as a starting point for your own corporate baseline, and then modified to meet your organizations requirements.
Configuration packs templates are best served using the Solution Accelerator Microsoft Security Compliance Manager