The hairline shows how long I've been in IT
Microsoft and several vendors have created a variety of DCM configurations, or rule sets, checking for various security requirements. These include basic checks for Windows 2003 and SQL 2005, and requirements for SOX, HIPPA, and other sets of regulations. These can provide a great basis for checking the status of your organization's environment without the need to completely create the appropriate definitions. You can see the complete catalog of configuration packs here.
The following comments and suggestions are based on my testing of a few packs created by Microsoft. Most of the comments probably apply to packs from other vendors as well.
The Microsoft packs are downloaded as MSI files. When installed they create an entry in Add/Remove Programs and a folder in Program Files containing one cab file. After that cab file is imported through the Configuration Manager console the entry in Add/Remove Programs is not needed and can be removed. I have no idea why they don't just let you download a cab file directly.
To import the definitions:
The next step is to examine the properties of the Configuration Items to see what is being tested, then advertise the new Baseline to a small representative sample of computers to see the results. In my testing, two of the Microsoft Configuration Items tested for file versions that were already upgraded. The tests required an equal match, so errors were reported for machines that had newer files. If you run into this, see my previous blog article for instructions for editing the incorrect CIs. Think carefully about what file versions you want to test for, to properly reflect the desired service pack and update levels.
The standard Configuration Manager DCM reports include many compliance reports. As with most such reports, you can get a high-level summary report and drill down to details of which exact validation tests failed for each computer. Analyze these reports carefully and decide on a plan for correcting the deficiencies reported. You can also see detailed compliance reports for any computer through it's Control Panel Configuration Manager applet by selecting the desired report in the Configurations tab.
In many cases the remediation will require applying a service pack or selected updates to all applicable computers. Those can be handled efficiently through Software Updates. If some errors are reported for just a portion of the applicable machines, but enough of them to warrant automated solutions, you can create collections based on the DCM results and distribute applications or scripts that will apply the required changes. The WQL queries you can create can not reflect the lowest level of detail, of specific validation tests. The finest detail is represented by the list of rules shown in the Configuration Manager console under each Configuration Item. These rules often contain one or very few validation tests, but some may contain several dozen or more. The scripts or applications you advertise should allow for this and only make the updates required on a particular machine. In extreme cases, you may need to use the editing capabilities described in the previously-referenced article to divide the validation tests into two or more rule sets that can be addressed individually for remediation.
For more details about creating remediation collections, see How to Remediate Non-Compliant Computers Using Software Distribution. If you have problems with any of this, see Troubleshooting Desired Configuration Management Issues.