/build/static/layout/Breadcrumb_cap_w.png

Tech Ed 2013- PRC05: Simplify and Maximize System Management with System Center 2012 Configuration Manager SP1: Notes from the Field

Presenters: Johan ArwidmarkKent Agerlund

Join Johan Arwidmark and Kent Agerlund, two of the world’s foremost Microsoft Sytem Center 2012 Configuration Manager experts, in a dazzling pre-conference on how to use Configuration Manager 2012 in the real world. Learn about the changes in Configuration Manager 2012 SP1, how to build a Configuration Manager 2012 SP1 infrastructure, how to migrate from Configuration Manager 2007, how to deploy applications and updates, and how to deploy and manage Windows 7 and Windows 8 operating systems.

Kent and Johan share their notes from the field, and their tips and tricks for making System Management using Configuration Manager 2012 even better. If you are working with, or thinking of moving to Configuration Manager 2012 SP1, this is the preconference you cannot afford to miss.

 

 

Alrighty- switching gears, let's take a look at Win7/8 deployment with SCCM. We'll talk about larger images and recovery with offline servicing and bit locker. Where an XP image might be 0.5 GB and Win 7-8 x86 might be 2.5 and an x64 we might get 3.0 or more. This is for the base image, without all the things you and I might add. One of the cool things I see in the SCCM deployment tool is including patches on the fly during imaging. New in 2012 SP1 we can pre provision Bitlocker before OS install.

 

In win8/2012 deployments we need to use the ADK- containing VAMT, USMT, and …

 

Config Mgr 2012 has been seen PXE booting a machine in 10-15 seconds using WDS and multicast, Not a huge diff from 2008, but there is a noticeable improvement.

 

Multicast is not perfect, but is trying to do packet validation and keep itself honest.

 

MDT can be lite touch for reference images, and zero touch for final deployment. MDT2012 with config manager this gives us a couple of hundred features and functions that are commonly useful in any deployment. One callout is Dynamic deployments allowing us to script WIMs based on the needs of the target user. We can also do a deployment test to predict how a deployment will go. Much of this functionality is available via OSD. Gather.cmd in OSD might be useful from a K1000 custom inventory rule for example. These dynamic lists allow up to install packages and applications that are identified for need based on things like hardware type, OS installed, OU targeted, etc.

 

UDI lets us use a wizard to paint a picture of what the deployment should look like and dynamically build this based on the user and ask questions to get us the answers to necessary questions that help during a dynamic deployment.

 

There's a new Standalone MDT2012 Lite Touch option. This can be really useful for capturing a reference machine. Why? Small agent, and no SCCM agent. This allows us to use the reference image for any deployment solution (like a K2000) and it's also 2x faster than Config Mgr. Requirements? A SMB share- a folder. xcopy, richcopy, robocopy, etc. can then move files wherever you like. Lite touch also makes it very easy to suspend/pause the sequence so we can do something manually if needed. Injecting profiles (or scripting it for later) is also a plus. Now thats not to say there aren't downsides- Thick images might be cumbersome when we have lots of packages to include. Also getting patching into lite touch would require a standalone WSUS server that is not part of SCCM or your normal Patching environment, or you could just use your K1000 and some detection labels that notice brand new machines and patch them up. 

 

Tools/doc for ini file? check his blog and book :) 

 

Windows Powershell ISE can be an awesome tool for building a good PS.

 

Winscript.ini can control the compression mechanism for capture, while customsettings.ini is useful for all things dynamic deployment. These are great things to explore guys. K2, K1, SCCM, any deployment solution- know about these files.

 

Johan will be talking more about Drivers on Thursday.Not sure if I'll make it to that.

 

Let's talk about Application and software updates

The "Application Model" incorporates all supported software types, requirement rules, detection methods, dependency handling, and supersedence and uninstall.

 

Looking at the application wizard, and talking a bit about managing apps for iOS and Android, and of course Windows Mobile. Looks like there's a class on Windows InTune that will have more on Mobile on Day 3 (Wednesday)

 

Looking into the more important Smile side of things- apps for desktop machines. There's a lot of flexibility here, but not much intelligence, or ease of use in my opinion. We can use MSI of course, but it appears there's no information gathered dynamically about the software upon import of the media. He did load the software from a zip file, that contained more files. Your metadata will be very important. Around the zip- is it deployed as a compressed payload, or unzipped at the server level? Potentially useful is that I can set my own icon for the app catalog. Can use icon exactractors or a website like iconarchive.com to get those.

 

Requirement rules can be any type of query and/or device requirement rules. 

Custom global conditions could be quite useful. We can look at expressions from registry, SQL, etc. Combined with Device and User conditions we can build some functionality and intelligence in to an app deployment. Seems an awful lot like what K1000 has had for years, but good to see :)

 

Now that folks are asking questions of the presenters, and challenging the functionality of SCCM for application deployment we're stumping the presenters and they have a few things they want from the tool too that it just can't do. Most of these things are based on dependancies, subsequent actions, and similar types of activities. 

 

The application conversion manager can be helpful in converting installers that SCCM can use. It works well on simple packages, but not complex ones. 

 

Can SCCM handle patching? Yep- at least MS updates. The tool needs to understand the vulnerability (intelligence), understand the environment (scan the environment), then of course creating the patch, and deploying it. It seems like there's an easier way- K1000! I'm not trying to pick a horse, but if I'm supposed to use SCCM 2012 it should be easy and it's really not guys.

 

Non- MS packages are really just handled as regular software packages. There's no intelligence. The speaker told a story about charging a customer for a JIT package build for Java 1.7.x; the customer didn't know much about their environment so they didn't know they didn't have Java 1.7. While he was telling that story I built a Java installer and patch label on my K1000. Took about 10 minutes (including 5 mins to download on my slow wifi) and it was primed to roll out. He spent all night building and billing his customer. No offense to the instructor- he's great, but c'mon SCCM. That being said, the SCCM patching for Windows and Microsoft apps is really good. Fast, fairly easy, and more robust than WSUS. The K1000 still wins in my opinion due to ease of use, robustness, and flexibility across platforms and vendors.

 

For mobile workers, I guess we can use SP1 for SCCM and failover to Windows Update, but that's not very managed. I also can't do sequence based events for internet-based clients. That's no bueno; no one knows if that's a future feature. VPN/DirectAccess is doable, but that's not really a solution for Schools and such. 

 

Check this out! http://blog.coretech.dk/kea/new-version-of-the-coretech-shutdown-tool/ Very cool stuff from Coretech.dk these guys have some great tools. Much of what we all want to do in SCCM, they have built tools for. Johann and Kent are great!

 

We asked where they pull their updates from, given that 80% or more of vulnerabilities are no longer from MS issues. Sometime to do the best risk analysis you've got to prioritize- get the big bang for the buck. They use the Solarwinds and Secunia catalogs as well as System Center Updates Publisher. Secunia is mainly cloud based, but you can get a local copy if needed. Solorwinds and Secunia are great risk analysis tools. 

 

 The annoyance of automatic upgrade notifications is still not solved, but there is automation available for disabling them. 

 

I'd like to see some integration of disabling automatic updates, as well as maybe something like Secunia into the K1000. 


Comments

This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ