DCM compliance checks slow to respond to changes

I am testing DCM in our test environment.  I have finally got some compliance checks to work (DCM is not as easy as I expected) but am finding that testing the checks is a slow process.  If I get a check to show as compliant (for example, checking a registry setting is correct), when I change the registry setting so it won't be in compliance, it takes some 10 minutes to reflect the non-compliance when the check is re-evaluated.  I have read somewhere this is because all the checks are done through WMI and that is only updated every 90 minutes or so (doesn't quite tie up with what I have seen).
 
Is this behaviour normal?  If so, how can I speed up this process?
 
Many thanks.
 
Ian (not at MMS this year, unfortunately).

Hmm... I've recently been creating/testing/modifying/testing some custom DCM rules.  I'm going to guess it may just be timing.  From what I've noticed, you 1) make a change to the baseline; so MPs now have the new policy 2) the test client (I'm doing this either with Roger Zanders Client Center or interactively logged in), has to do a couple of policy refreshes to get the updated policy version.  3) run the evaluation  4) if you are waiting for reports / views to be updated instead of interactively running the local report available in the Configuration Manager applet, that's a status message, so you're also waiting for the status message to go from the client to the server.
 
If you kind of step through the above (the refresh policies is always the place where I am most impatient), does that help you understand the delays?
 

mofmaster@myitforum.com
My Blog
Microsoft MVP - ConfigMgr

Thanks Sherry.  I guess I didn't explain myself fully.  I am purely looking at the Configurations tab in the Control Panel applet.  If I run an evaluation, for example which checks a registry entry, it comes back as Compliant in the Configurations tab.  If I then change the registry entry to something that is not compliant and rerun the evaluation through the Control Panel applet again, it still shows as Compliant.  It takes a long time before it will finally (correctly) evaluate as non-compliant.
 
So, I am not changing the rule, just changing the entry on the machine it is checking, so no delays caused by MPs etc.
 
Regards,
Ian

It will not show non compliant until the DCM process runs again, once a week by default.

www.Enhansoft.com

Blog:
http://smsug.ca/blogs/garth_jones/default.aspx

I am clicking the "Evaluate" button on the "Configurations" tab in the Configuration Manager applet to run it again.  As I said, it does correctly show the compliance state, just not immediatley as I would have expected.

I have not had my coffee yet but how long does it take ~5 minutes?

www.Enhansoft.com

Blog:
http://smsug.ca/blogs/garth_jones/default.aspx

I've had lots of coffee, which is maybe why I am being impatient!  I think it is more like 10-15 minutes, although I haven't timed it.

Lol… <tongue in cheek> What does SMS stand for?
 
 
Slow Moving Software.
 
 
5-10-15 minutes is most like cause be the script for this DCM is not completed when you get access back from the control panel applet and the screen refresh will take a few minutes too. I would say this is normal. You might be able to speed this update by existing the applet and going back in.

www.Enhansoft.com

Blog:
http://smsug.ca/blogs/garth_jones/default.aspx

Thanks Garth.  I am prepared to accept this is how it is, but the screen refreshes fairly quickly (it shows "In-Progress" and returns to "Idle" in about 10 seconds (and the DCMAgent log file shows the State as Complete), so it seems strange.  I have some other rules which do take longer, so I understand what you are saying.  All I am checking is a single registry entry (using a rule from Microsoft's Security Compliance Management Toolkit), so I don't think it should take very long.
 
I have just rerun it many times, and it took 15 minutes to report the correct compliance state after about 10 times for me running it (clicking the Evaluate button).  The DCMAgent log file shows extra entries, which it didn't show on the previous 9 times when it didn't evaluate correctly, including entries saying "State - Reporting (scan)" and "CompleteCIDiscovery (all Baselines processed)".  It normally doesn't show the "(scan)" and "(all Baselines processed)" when it doesn't evaluate correctly.  At least I can watch this log file to know when it has actually evaluated correctly, but wating 15 minutes is too long.
 
I used to do the same sort of check in Custom Updates in SMS and I could change the registry entry and it would report straight away, so this is big step back for us.
 
Also, I cannot get rules for WMI compliance checks to work, but that is for another thread!  All very frustrating.

if you neeeeed help with the wmi rules, let me know.

i do not have a goooood lab available this weeeek, and my baslines are usually wmi queries, but i never noticed the lag u mention

mofmaster@myitforum.com
My Blog
Microsoft MVP - ConfigMgr

It turns out I wasn't imagining the 15 minute lag.  This is built into DCM, see Wally's (Wally Mead?) reply in this thread on Technet:- http://social.technet.microsoft.com/forums/en-US/configmgrdcm/thread/0c09fd61-aa1a-4249-9880-3f44ed544683/.  "It is not supported to change that value, without PSS intervention"
 
Thanks Sherry.  I think I am getting there with the WMI queries, but if I have more problems I will raise another thread.

Sherry, thanks for your offer of looking at my WMI checking problem.  I have created another thread, here:- http://www.myitforum.com/forums/DCM_compliance_checks_of_WMI/m_199731/tm.htm

Ian

I just say your other thread; Unfortunately... it's MMS week, and limited access to my labs to check your wmi query.  For some reason, in Commnet they block walk-up users from accessing wbemtest to mess with wmi.  Huh.  :-)  If no one else steps in, I'll check on it later when I've got access to a box.

mofmaster@myitforum.com
My Blog
Microsoft MVP - ConfigMgr

No rush for this Sherry - it can wait until next week.  It is a holiday in the UK on Monday so I'm not back in the office until Tuesday anyway.
 
Thanks very much.
Ian

After an evaluation occurs and you modify the baseline, (in ConfigMgr 2007) the minimum amount of time to wait before a subsequent evaluation against the "new/modified" baseline is 22 minutes (and no sooner.  try it...you'll see!!).  You can trigger the subsequent evaluation before the 22 minutes transpires, but the new/modified baseline will not be discovered as the DCMAgent.log will have an entry stating ProcessDiscovery (discovery not required) and then it will stop.
 
It's a drag when you're testing, I know...but that's how it works.  In my test environments I automatically set the DCM agent to a custom evaluation schedule of Every 22 minutes.