Configuration Manger 2007 has a great feature called Desired Configuration Management (DCM). It’s pretty easy to understand and use. You define a standard using queries of the registry, WMI and the file system to say what must be present, not present or what settings are valid, e.g. "this service must be disabled". Anything not meeting this compliance statement can be reported and acted on. In theory you could build a collection based on this data and enact an automated response.
MS has released the SCAP Conversion Tool for Desired Configuration Manager that will enable you to convert Security Content Automation Protocol files into files that can be used by DCM.
They’ve also released a Security Compliance Management Toolkit to help you how to plan, deploy, monitor, and remediate a security baseline.
One thought on “New SCCM 2007 Desired Configuration Management Releases”