SCCM 2012 Basics

SCCM 2012 About SCCM 1. Scan and inventories all managed devices. 2. Client software deployed to supported devices - Tracks software and hardware components - Streamlines software deployment. - Manages patches 3. Bare metal OS Deployments 4. Endpoint protection - Provides an antimalware and security solution for the Microsoft platform. 5. Settings Management - Desired configuration management

What’s New in SCCM 2012 ? 1. Architecture – Tier 3 CAS – Central Administration Site Primary Secondary CAS – can be used for reporting and Management only. Primary Sites can only be parent of secondary sites. Secondary sites now have their own database. 2. 3. 4. 5. 6.

7.

8. 9.

10. 11. 12.

User centric application model. HTTP and HTTPS replace mixed and native mode. Software Portal Conditional Delivery Roles Changes - Reporting point changed to Reporting Services Point - The PXE Service point moved into Distribution Point - The Server locator point moved into Management Point New roles - Software Center  The Application Catalog website point ( User end ) ( We can add installation guide along with package )  Application catalog web services point - Enrollment proxy point  Manages enrollment requests from mobile devices - Enrollment point  Completes Mobile device enrollment Boundary Group. Forest Discovery - Active Directory Forest Discovery does not discover resources that you can manage. Instead, this method discovers Active Directory network locations and can convert those locations into boundaries for use throughout your hierarchy. This is a cool new benefit of Configuration Manager 2012. - You can use Active Directory Forest Discovery to do the following:  Discover IP subnets in an Active Directory forest  Discover Active Directory sites in an Active Directory forest  Add the IP subnets and Active Directory sites that are discovered as boundaries in Configuration Manager Client Status Virtual Application - App V Dependency deployment – App Deployment 1

13. 14. 15. 16. 17. 18. 19. 20. 21. 22.

Simulated Deployment – App Deployment User Device Affinity Application Revision Application Supersedence Application Retire Automatic Deployment Rule – Software Updates Compliance Settings and Remediation Site Hierarchy diagram Role Based Access security Distribution Point Groups

CAS – Central Administration Site Central Administration site is for large organizations having more than 100,000 clients in the hierarchy. Once you have CAS, then you can install primary sites underneath CAS for managing users and devices. Secondary sites can then be installed below primary sites for managing devices over slow connection. If your organization has less than 100,000 clients, you should only use stand-alone primary sites. CAS is used for a multi-site hierarchy. This is the first site to be built if you use a multi-site hierarchy. Next layer of site would be primary sites where all processing happens. For smaller organizations, the first site deployed in the hierarchy is a Primary site. But if you want to install more than one Primary site, we can’t install it without a CAS server. As compared to the previous of SCCM, Primary Site servers can be installed and joined in the Central Site at any point of time. But in SCCM 2012, Primary Site servers can only be connected to the Central Site during installation. This means that the CAS should be installed first before any primary sites in the hierarchy. Note: We can have maximum 25 child Primary Sites supported by a CAS. Client data processing is not done by the CAS. CAS is used for administration and reporting. CAS requires a SQL database to be installed on the site server. CAS support up to 400,000 clients if SQL Server Enterprise or Datacenter is installed on the Central Administration site, and is independent of the SQL Server edition at primary or secondary sites. Up to 50,000 clients are support if SQL Server Standard is used for the site database at the Central Administration site. This limit remains there even if we upgrade the SQL Server version at the Central Administration site from Standard to Enterprise or Datacenter after installing Configuration Manager. CAS also doesn’t support client assignment as clients can only be assigned to the primary sites. The reason of this assignment is to let the central site to provide better performance for administration. Does not support all site system roles.

Why many of them are recommending not to have CAS in the hierarchy in SCCM 2012 Central Administration site is for large organizations having more than 100000 clients Licensing costs go up - SQL, OS, hardware (unless it's VM's). A CAS introduces multiple moving parts. There is additional support overhead for fixing replication issues, bugs in that space, usual stuff.

Primary Site Primary site can support up to 100,000 clients Manages clients in well-connected networks. Primary sites in System Center 2012 Configuration Manager have the following differences from primary sites in Configuration Manager 2007: 

Additional primary sites allow the hierarchy to support more clients. 2

  

Cannot be tiered below other primary sites. No longer used as a boundary for client agent settings or security. Participates in database replication.

Secondary Site Controls content distribution for clients in remote locations across links that have limited network bandwidth. Secondary sites in System Center 2012 Configuration Manager have the following differences from secondary sites in Configuration Manager 2007:    

SQL Server is required and SQL Server Express will be installed during site installation if required. A management point and distribution point are automatically deployed during the site installation. Secondary sites can send content distribution to other secondary sites. Participates in database replication.

SCCM Architecture Support limits 1. Each management point located in the primary site can support up to 25,000 client computers. If you need the support for 100,000 client computers, you must have at least 4 management points 2. Each primary site can support up to 10 management points. 3. There can be only one management point in the secondary site and that must be installed on the secondary site server only. 4. Always place management points near to the primary site server or from the site database server having fast link. 5. Maximum numbers of clients support by the secondary site management point depends upon the hardware configuration of the secondary site server. 6. Having more management points in a site provides redundancy and improves client-to-site communications. 7. One Site – 250 DP 8. One DP – 3000 Clients 9. One MP – 25000 Clients 10. One Primary Site – 250 Secondary Sites

Native mode and Mixed mode SCCM 2007 1. Choose native mode if any of the following conditions apply: You require the highest security controls, using industry-standard protocols. You require Internet-based client management. 2. Choose mixed mode if any of the following conditions apply: You do not have the supporting public key infrastructure (PKI). You have not installed the specific certificates required by Configuration Manager 2007. The site contains SMS 2003 clients. The site contains clients running Windows 2000 Professional or Windows Server 2000. The parent site is configured for mixed mode. Site systems running Internet Information Services (IIS) are not dedicated to Configuration Manager, and you cannot configure a custom website. You must use WINS as the means by which clients can find their default management point (service location). You do not want the site's secondary sites to be automatically migrated.

User device affinity User device affinity in Microsoft System Center 2012 Configuration Manager is a method of associating a user with one or more specified devices. User device affinity can eliminate the need to know the names of a user’s devices in order to deploy an application to that user. Instead of deploying the application to all of the user’s devices, you deploy the application to the user. Then, user device affinity automatically ensures that the application install on all devices that are associated with that user. 3

You can define primary devices. These are typically the devices that users use on a daily basis to perform their work. When you create an affinity between a user and a device, you gain more software deployment options. For example, if a user requires Microsoft Office Visio, you can install it on the user’s primary device by using a Windows Installer deployment. However, on a device that is not a primary device, you might deploy Microsoft Office Visio as a virtual application. You can also use user device affinity to predeploy software on a user’s device when the user is not logged in. Then, when the user logs on, the application is already installed and ready to run.

Application Revision History

Application Supersedence

Application Retire Per documentation, When you retire an application, it is no longer available for deployment but the application and any deployments of the application are not deleted. Existing copies of this application that were installed on client computers will not be removed. If an application that has no deployments is retired, it will be deleted from the Configuration Manager console after 60 days. However, any installed copies of the application are not removed. Well…this is really interesting, it is more interesting that you can “reinstate” the application if needed, but be aware, only retiring the application will not block people from installing. if have an active deployment, people can still use it.

Automatic Deployment Rule – Software Updates Automatic Deployment rule enables to create update package automatically according to some criteria such as release date, classification or language. The scheduler for creating update package can be fine-grained configured. It is possible for example to create update package automatically every second Tuesday of each month. Once the package is created, it is automatically deployed to deployment point and servers perform updates on their maintenance period. This update method should not be used on complex environment as Hyper-V cluster or Exchange infrastructure. These examples of environment need orchestrator to avoid downtime of services.

Compliance settings and Remediation Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates, security settings, and mobile devices. Configuration item settings of the type 4

Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found.

SCCM Roles Site Server: A computer on which you run the Configuration Manager setup program and which provides the core functionality for the site. Site Database Server: A site system role that runs Microsoft SQL server and hosts the configuration Manager Site Database Component Server: Any server running SMS Executive and Configuration Manager services. This role is automatically installed when you install all the site system roles except for the Distribution Point role. Management Point: A site system role that replies to configuration Manager Clients requests and accepts management data from configuration manager clients Distribution Point: A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. Reporting services Point: A site system role that provides integration with SQL server reporting services to create and manager reports for configuration manager State migration point: A site system role that stores user state data when a computer is migrated to a new operating system. Software update point: A site system role that integrates with windows server update services (WSUS) to provide software updates to configuration manager clients. System Health Validator Point: This role must be installed on a Network Policy Server, to validate if Configuration Manager clients are compatible or not with software updates you select and passes the health state of the computers to the Windows Network Policy Server. Endpoint Protection Point: This role allows you to manage Window Firewall and antimalware security policies for client computers in your hierarchy. Fallback Status Point: This site system role gathers state messages from clients for monitoring client installation and identifies clients that are not able to communicate with their Management Point. Out of band service point: It allows administrators to connect to the computers that have the Intel vPro chip set and a version of Intel Active Management Technology (Intel AMT), when the computer is turned off, in hibernation, or not responding. Asset Intelligence Synchronization Point: A site system role that connects to System Center Online to download and manage Asset Intelligence catalog information and upload uncategorized titles to consider them for future inclusion in the catalog. 5

Application Catalog web service point: A site system role that provides software information to the Application Catalog website from the Software Library Application Catalog website point: A site system role that provides users with a list of available software from the Application Catalog Enrollment proxy point: A site system role that manages enrolment requests from mobile devise so that they can be managed by configuration manager. Enrollment point: A site system role that uses PKI certificates to complete mobile device enrollment and to provision Intel AMTbased computers.

Active Directory Tasks Schema extensions Benefits: Automatic discovery of SCCM client properties Port configuration for client to server communication Easier multi-site content deployment Use of NAP

Role Based Access Security 1. Hides interface elements based on user profile. Show only what is relevant to the current user. 2. Granular control over actions 3. SCCM 2012 ships with 14 pre-defined security roles

Roles and Scopes Role = what a user can do Scope = The objects a user can manipulate Combined = How a user operates in SCCM 2012 Example:  Roles 

-

Full Administrator Endpoint Administrator

-

Security scope Collection

Scope

Management Point 1. A site system role that provides policy and service location information to clients and receives configuration data from clients. 2. Facilitates communication between clients and the SCCM server 3. An initial management point was installed during SCCM installation 4. No longer need to use load balancers for High availability. Clients use AD to find the right MP 5. Services previously offered by the server locator point role have been merged into the MP Every primary and secondary site requires that a MP be specified. - CAS cannot host MP - Secondary sites can use proxy MP MP requirements -

IIS 6

-

Background Intelligent Transfer Services

Distribution Point A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. A DP was installed during SCCM installation 

Changes in SCCM 2012 - Branch DP are gone - Replaced with ability to configure a windows client as a DP ( Drawback: 20 connections max) - PXE server point is now a DP option - Background Intelligent Transfer Services

7