I joined a session last Friday where Wally Mead from Microsoft talked about CM2012 Compliance Manager formerly known as DCM (desired configuration manager)
One of the major differences between DCM and Compliance manager is with Compliance manager it is not only be possible to create compliance reports but also remediate computers that differs from the wanted compliance.
Here I would like to raise a warning or at least point out at potential risk of a remediation loop.
Let me explain with an example.
A company uses group policy and group policy references to control machine and user settings.
This has been good practice for years, working just fine.
The GPO settings is maintained by group A in the company.
Group B in the company works with CM2012 and they implements Compliance manager with remediation for some settings that at the same time are already set by a GPO.
The problem is that Group B, has chosen to remediate to
different settings than set in the GPO.
Now the remediation process and the GPO applying will fight forever to set the setting each one thinks is right.
So watch out and those carefully what settings you remediate with Compliance manager in CM2012.