The following are some best practices that should be followed when documenting configuration packs.  This list of best practices is not inclusive and is only a recommendation.

• All configuration packs should include a word document that describes each configuration baseline, item, setting and rule.
• Each setting and rule should include the following inline in the configuration pack…
  • Summary of what the rule is checking
  • Expected value for the setting
  • Why is this setting important
  • How to fix this setting if not compliant
• All configuration packs should include a readme that details how to import the configuration pack
• All documents should be shipped inside configuration pack MSI
• All documents should also be shipped outside configuration pack to allow for direct download
• All documentation should be proofed for grammar and spelling

The following are some best practices that should be followed when testing configuration packs.  This list of best practices is not inclusive and is only a recommendation.

• All configuration items and baselines should be tested on all supported platforms and architectures
  • i.e. If configuration pack is for Windows Server 2008, then should only test on Windows Server 2008 (x86 & x64)
  • i.e. If configuration pack is for SQL Server 2005, then should test on all supported enterprise operating systems (Windows Server 2003, Windows Server 2008, etc.)
• Each configuration item setting and rules  should be tested (positive & negative cases for each)
• Configuration pack will pass validation check using DCM validation tool in System Center Configuration Manager 2007 Toolkit
• Application/General CIs, should test on wrong platforms to find hidden problems
• Test on supported language
• Import testing with ConfigMgr 2007
• Import testing with ConfigMgr 2012 (when applicable)
• If bundling your configuration pack in an MSI for distribution then perform media verification to verify MSI and CAB files are code-signed (if applicable) as well as all files are present
  

The following are some best practices that should be followed when developing configuration packs.  This list of best practices is not inclusive and is only a recommendation.

• If you want your configuration pack to work with both Configuration Manager 2007 and Configuration Manager 2012 write the configuration pack using the DCM digest schema for Configuration Manager 2007
• Use accurate and friendly names for all items, including configuration baseline and item names
• If creating outside of Configuration Manager be sure to always increment your version number prior to import.  This includes each configuration item as well as baseline, including the version number for each configuration item referenced in the baseline.
• Write accurate and detailed names and descriptions for every setting & rule, including what the rule is evaluating and why it would fail
• Make sure all data types are appropriately set
• Pay special attention to correct file version checks (= vs. >=)
• Avoid using hard-coded strings in comparisons such as “Administrators” if possible, especially if you plan to localize your configuration pack
• Appropriate usage of configuration items and baselines concepts (i.e. do not create 100+ configuration items that can easily be represented as settings with rules in one configuration item)
• Ensure detection methods are properly defined for application configuration items
• Order matters (Power Users, Administrators) vs. (Administrators, Power Users).  When writing scripts order as you best see fit
• Try to avoid using wildcards, like in registry, rather write a rule for each sub key
• Be very targeted and specific (look for individual files, not a group), do not be general.  The more specific you settings and rules are the more accurate your configuration pack will be
• Should define the platform applicability
• Flatter CI relationship is better than 4-5-6 levels deep

I’m happy to announce that we have received our validation on our new version of the System Center Configuration Manager Extensions for SCAP tool. 

The SCAP Tool converts SCAP FDCC content to DCM digest to be used with Configuration Manager 2007.  After the DCM Baselines have been evaluated the tool converts the data back into SCAP data to be used for compliance reporting.