How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
-
Upload
fiona-panchal -
Category
Documents
-
view
217 -
download
0
Transcript of How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 1/211E.COM
WHITE PAPER
HOW TO GET THEMOST FROM
YOUR MICROSOFTCONFIGMGR 2012MIGRATION
CCM201
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 2/211E.COM
THE AUTOMATED MIGRATION: AN ANALYSIS OF OPTIONS
Overview
CongMgr 2012 Migration Options
Getting the Most from CongMgr 2012
1E Nomad: Enhancing Your CongMgr 2012 Infrastructure
How Else Can 1E Help
3
4
5
14
19
Contents
Share this
Abstract
This white paper sets out how you can
expedite your migration to CongMgr
2012. When the migration is done, or if
you have already migrated, it also
provides ideas to maximize SCCM 2012’s
benets and to lower your costs.
The Authors
Several of 1E’s CongMgr technical
specialists have contributed to this
document, namely: Shaun Cassells, Troy
Martin, Mike Terrill, and Paul Thomsen.
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 3/211E.COM 3
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
Microsoft® System Center Conguration Manager 2012 (“CongMgr” or “SCCM”) has
been well received by organizations of all types and sizes around the world. Many of
the organizations that 1E works with have moved to it, are moving to it, or have
imminent plans to do so. If you are preparing to upgrade or are in the midst of such a
project, this is the ideal time to expedite your project, minimize your costs, and
maximize the benets from CongMgr. If you’ve already made the move, you can build
on the lessons you’ve learned to make your CongMgr implementation even better.
Based on 1E’s many years of experience as Microsoft’s premier CongMgr partner, this
document provides you with a wide variety of ideas and options to maximize the
return your organization is getting from your CongMgr investment. You can consider
implementing these ideas yourself, and where appropriate talk with 1E about how we
can help.
This document suggests options such as:
• Use industry best practices when using the key SCCM 2012 features
• Keep your CongMgr hierarchy as simple as possible (especially since SP1’s
availability) – you can add a Central Administration Site (CAS) or other primaries later
if business developments require them
• Flatten your server infrastructure and cut on-going running costs
• Consider the Intune integration option so that you can manage consumer-oriented
devices in addition to Windows computers (as well as Macintosh and Linux)
• PowerShell support brings a new level of customization and control
In 2012 1E consultants took a deep dive into SCCM and published their tips for success.
Those original observations proved to be very helpful and popular so we were pleased
to update them in 2013 for Service Pack 1 (SP1). Later in this document you will nd
updates to the changes that were made in CongMgr 2012 R2 and the changed
environment CongMgr now serves.
Overview
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 4/211E.COM 4
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
If you are planning to migrate to
CongMgr 2012 or are in the midst of your
project, you should consider your
migration options. The benets include:
• Minimizing your CongMgr server
footprint and maximizing reliability
and performance
• Reducing the deployment timeline by
two thirds
• Improving your patching and software
distribution success
Doing the migration with your own staff
and just SCCM might be a viable option if
you are prepared to delay other projects,
often by months. You will need time to
set up a lab, educate the team on the
migration process, build a design and
process, test the process in the lab, plan
for production, and then do the actual
work of the migration itself. There is also
the risk that you will miss lessons that
have been learned elsewhere, given that
this is your rst opportunity to actually do
a migration to SCCM 2012. The challenges
and risks increase dramatically if your
organization is fairly large, is very diverse,
or has other unique characteristics.
You should also consider how well the
end state will serve your needs. As long
time partners of Microsoft, 1E is very
impressed by the capabilities of
CongMgr 2012 and is very pleased to
specialize in it . However, 1E has worked
with hundreds of organizations where
SCCM could be enhanced to even betterserve the organization. Such
enhancements are why Microsoft so
greatly values its huge partner
ecosystem. Therefore it is prudent to take
time to consider whether additional
software would allow SCCM to work even
better for you. Taking time to read this
whitepaper is a great rst step.
The cost of additional services and
software are often a concern and we are
pleased to discuss that with you. Our
experience has been that the benets are
so dramatic, in hard savings, that the
investment quickly pays for itself. We
have the analysts to help you quantifythose savings and we have the history to
prove that the savings will be realized as
planned. Our large support and
engineering teams ensure the savings
continue to be realized for years, long
after the investment has paid off.
If you see the potential that 1E’s
consultants, software, or partners can
help you, we encourage you to contact
us. We will be pleased to meet at a time
and in a format that works well for you to
explore the possibilities. Our professional
account and technical teams will
carefully listen to your challenges and
requirements and then explain our
solutions to whatever degree you like. If
there are better alternatives we will point
them out and leave you to them. We are
here to help, as we have done with so
many organizations since 1997.
CongMgr 2012 Migration Options
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 5/211E.COM 5
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
Getting the Most from CongMgr 2012
Whether you are about to migrate to
CongMgr 2012 or are already there, you
should investigate how you can get the
most from SCCM. This section highlights
key changes in CongMgr 2012 as
compared with CongMgr 2007 and
provides an overview of the lessons that
1E has learned in relation to them.
Application Management
The deployment of software is the
primary function of most CongMgr
implementations. In CongMgr 2007,software distribution was achieved by
dening packages and programs and
then advertising the programs to
collections of clients or users.
Different installation types (e.g. 32-bit
and 64-bit installation) could require
separate programs. Typically, a collection
would dene the target for each
installation type (query-based
collections dene the logic that
determines which systems should run
the program).
Those legacy objects are still available in
CongMgr 2012, and are in fact still
required for some of the content required
in an operating system deployment task
sequence (such as boot images, OS
images, driver packages and the
CongMgr client agent). However
CongMgr 2012 introduced a completely
new alternative approach to software
distribution – application management.
For application management, an
application has a number of deployment
types, each dening the required source
les, install and uninstall command lines
and user experience (e.g. whether a user
needs to be logged in), similar to the
properties of the legacy packages and
programs. Deployment types are
deployed through a deployment, which
isn’t all that dissimilar from the concept
of an advertisement.
The most signicant difference with
SCCM 2012 application management is
that the deployment type also denes
the targeting logic, which is evaluated onthe client each time the Application
Deployment Evaluation Cycle occurs.
Application management uses the same
‘engine’ as the Compliance Settings, so
the decision whether to install can be
based on values from Windows
Management Instrumentation (WMI), the
local registry, the return code of a script,
the result of a Microsoft SQL Server
database query, or the user (either
logged on at the time, or the primary user
of the device).
The collections targeted by a
deployment can therefore be much more
encompassing – now you needn’t panic
when you accidentally deploy to All
Systems (as long as you have the right
conditions dened in the Deployment
Type requirements).
SP1 extended this model by improving
the App-V support and adding Windows
8 support.
Migrating to CongMgr 2012 does not
require migrating to application
management right away, but you should
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 6/211E.COM 6
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
consider doing so when time permits in
order to take advantage of its benets:
• Applications are state based, so if an
application is uninstalled from a client,
it will be reinstalled automatically in
order to restore the intended state of
the client
• The evaluation as to which clients or
users receive the application is done
on the clients, so the workload on the
servers is reduced (particularly in
terms of collection evaluation)• Applications can be made available to
users in the Application Catalog, thus
enabling a user-centric service model
Site Hierarchy
CongMgr 2012 should keep the
minimalists happy – the architecture is
designed for a much atter hierarchy,
and in fact, a single site CongMgr 2012
hierarchy is used by most organizations
with less than 100,000 clients to manage.
An important change in the SCCM 2012
architecture for those organizations that
do require multiple sites is the Central
Administration Site (CAS), which is in
some ways similar to an SCCM 2007
central site, but no clients can be
managed directly from the CAS.
A key role of the CAS is to coordinate
replication of data throughout a
hierarchy, so it is not required if you are
going to manage your entire
environment with a single primary site.
As of SP1, a standalone site can beattached to a CAS at a later stage. A CAS
also enables a failed primary site to be
recovered even without a backup. It is
worth noting that only primary sites can
attach to a CAS, and only secondary sites
can be attached to these primary sites, so
effectively your hierarchy will not exceed
three tiers for the core sites (additional
secondary sites can be lower tiers).
Even the role of the secondary site is
somewhat changed in CongMgr 2012.
One of the main reasons for deploying
secondary sites in CongMgr 2007 was to
be able to manage network bandwidth
for the distribution of content (packages,updates and OS images).
In CongMgr 2012, distribution of
content to remote distribution points can
be scheduled and throttled in the same
manner as site-to-site trafc, so unless
you are concerned about the volume of
trafc going back to the primary site
(inventory, status, software usage, etc.)
you can do without secondary sites. It ’s
worth noting that secondary sites require
a SQL database in CongMgr 2012,
however the secondary site installation
will install Microsoft SQL Server® Express
if a supported version of SQL Server is not
installed locally.
In CongMgr 2012, boundaries are used
to identify network locations and are
available to all Sites in the hierarchy.
Boundaries are then grouped together in
boundary groups, which can be
optionally associated with a particular
site for client site assignment. For
example, each of the LANs in a particularlocation, like a branch ofce or a retail
store, would be added as individual
boundaries, and these boundaries would
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 7/211E.COM 7
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
then be added to a boundary group that
identies that location. The boundary
group can then be associated with the
primary site that should manage that
location.
Given all these options, you can do a lot to
simplify your SCCM hierarchy and
therefore simplify operations and
increase reliability:
• Don’t include a CAS unless you must
• Only use secondary sites in locationswith a large number of clients and/or if
you expect a very large volume of data
to be frequently reported up the
hierarchy
• If you must have multiple primary
sites, keep the count as low as possible
Site-to-Site Replication
If you have need for a multi-site
CongMgr hierarchy, you should be
aware that site-to-site communication
has received a major overhaul in
CongMgr 2012. Database replication has
replaced most of the legacy le transfer
in and out of inboxes (content as in
packages, applications and operating
system deployments are still replicated
using the le system).
Most changes in any site will be
replicated globally to all sites in the
hierarchy, not just to the parent or child
sites. To help monitor and resolve
replication issues between the sites there
is a Database Replication node in theMonitoring section of the console that
shows the status of any links. The
Replication Link Analyzer is an additional
tool that enables further analysis and
remediation of SQL replication issues
between sites.
SP1 improved replication by giving you
more control in terms of what is
replicated and when.
Administration
The administration console was
historically a big pain point for CongMgr
2007 administrators. Not only was it
difcult to control (to allow certain users
to only see the features they administer)but it also crashed too often. The
administration console in CongMgr 2012
has been completely redesigned and
rewritten from the ground up. It does not
use Microsoft Management Console
(MMC), and displays only the features the
administrator has rights to.
SP1 enhanced the administrative model
even further. New PowerShell support
extends your administration options so
that you can automate CongMgr
operations even more than in previous
versions. The addition of the Client
Operations infrastructure allows you to
initiate Endpoint Protection and client
policy refreshes whenever you require
them.
Managing Clients Over the Internet
The complexities of Native Mode in
CongMgr 2007 no longer exist in
CongMgr 2012 as the Mixed and Native
Site modes are no more. Instead, the
various Site system roles within the Siteare congured to support HTTP or HTTPS
connections (or both).
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 8/211E.COM 8
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
Within a Site, multiple site systems (e.g.
management points) can be deployed,
allowing one or more servers situated in a
demilitarized zone (DMZ) to host
internet-facing roles using HTTPS, with
the same roles hosted on an internal
server using HTTP.
Use of HTTPS still requires public key
infrastructure (PKI) to enrol client and
server certicates (mutual authentication
is still required), however the Site Server
Document Signing Certicate is nowcreated by the site as a self-signed
certicate.
By default, if a client has a client
authentication certicate issued by a
trusted Certicate Authority (CA) it will
use HTTPS and will be able to
communicate with all Site systems that
are congured to support HTTPS. If no
such client authentication certicate
exists, the client will use a self-signed
certicate and use HTTP to communicate
only with site systems that are congured
to support HTTP.
New to CongMgr 2012 is the possibility
for Internet-based clients to evaluate a
user-based policy (such as application
deployments). In order for this to occur,
either the management point (MP) and
user account must be in the same forest,
or a trust must exist between the forests
in which the MP and the user account
reside. In either case, any perimeter
rewall must allow AD authenticationtrafc between the MP and a domain
controller in the user account’s forest.
Exciting SP1 changes include the ability
to use cloud-based (Azure) distribution
points and to enable clients to get
software updates from Microsoft Update
if corporate DPs are not available.
CongMgr 2012 SP1 and R2 demonstrate
Microsoft’s commitment to dramatically
improving your internet client
management options. The Intune
integration is much more robust and a
larger variety of clients are supported.
With R2 you can also now manage iOS7settings, deploy web application
shortcuts, and use Windows 8.1 app
bundles.
Similarly, remote connection, certicate,
VPN, Wi-Fi, and email proles make it
easy for you to enable mobile user
support, rather than having to implement
your own solution.
As your users increase their expectations
for mobile support, and CongMgr
increasingly enables it, you should
consider implementing these features in
your organization.
Scalability
A CongMgr 2007 hierarchy could
support a maximum of 200,000 clients
(300,000 with R3). CongMgr 2012
supports up to 400,000 clients in a single
hierarchy when the database for the
Central Administration Site is running
SQL Server Enterprise. Each Primary Site
can support up to 100,000 clients if thedatabase and Primary Site roles are
hosted on separate servers. The SP1
database replication options ensure that
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 9/211E.COM 9
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
you can ne tune it in even the most
challenging environments.
As with CongMgr 2007, each
Management Point (MP) can support up to
25,000 clients. However, the concept of a
Default Management Point no longer exists
in CongMgr 2012, and neither does
support (or necessity) for Network Load
Balancing (NLB) an MP. Instead, up to four
servers can host the MP role and clients
manage the load balancing in much the
same way as they do with DistributionPoints (DPs). CongMgr 2012 also increases
the number of supported DPs per Site from
100 to 250, each supporting up to 4,000
clients.
At rst you might think that scalability is
not an issue for you, unless you work for a
very large organization. However, even
medium-sized organizations could have a
very large number of clients when you take
into account the multiple devices that
users often have. So if users typically have a
laptop, tablet, and phone, and you manage
them all, then an organization with 50,000
to 100,000 users could have some scale
concerns. Add in a lot of data-center
servers, point-of-sale systems, robotic
control systems, or similar options and
even current CongMgr 2012 scalability is
worth taking seriously.
Distribution Points
There are some notable changes in the role
of the distribution point (DP) in CongMgr2012. The branch distribution point (BDP)
distinction has been dropped in CongMgr
2012. Instead, there is a single DP role that
can be installed on servers (2003 upwards)
and workstations (Vista upwards).
Interestingly, the DP role is the only site
system that is supported on both 32- and
64-bit computers; all other site systems
require a 64-bit OS. Distribution of content
to remote DPs (i.e. any DP that is not hosted
on the same LAN as a site server) can use
scheduling and throttling similar to that
dened in our old friend, the site-to-site
address, that has survived since the rst
version of SMS.
By default all content is obtained by clients
using HTTP (or HTTPS), which means that
any system (including a workstation)
hosting a DP need Internet Information
Server (IIS) installed.
Although there is the option to establish
content for specic packages on a ‘legacy
style’ DP share (this is in fact necessary if
you want to use OS deployment task
sequences that obtain content directly
from the DP), the HTTP/S server must
always be present. If you currently use
network-attached storage (NAS) devices to
host CongMgr 2007 DP shares, you are
going to need a new strategy for CongMgr
2012.
The DP role now incorporates the Preboot
Execution Environment (PXE) service as an
optional feature if the DP is hosted on a
server operating system. Windows
Deployment Services (WDS) is still required
for PXE booting in CongMgr 2012. Talk to1E about Nomad, which not only eliminates
the need for any kind of DP in your remote
locations but also enables PXE to be served
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 10/211E.COM 10
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
from a workstation. Nomad 2012
integrates seamlessly with the CongMgr
2012 operating system deployment (OSD)
process, using content stored on local
peer workstations to complete a full OS
Deployment without impacting the WAN.
Conguration Manager 2012 SP1 and R2
also introduced and enhanced a new “pull
distribution point” role, or pull DPs. The
benet of pull DPs is that they ofoad the
site-to-DP content distribution workload
from the site server to the DPs. They donot provide any benet in getting the
content to the clients and they may in
fact complicate that process by adding
more “moving parts”.
Also new are “cloud DPs”, meaning
distribution points hosted on Microsoft
Azure. These can be useful for clients on
the internet but you should pay close
attention to their costs. If used, they are
most appropriate for small critical
deployments to a limited number of
clients.
Users in Control
CongMgr 2012 has been built with the
user in mind. The Software Center,
installed on all clients, provides an
interface for the user to manage the
installation of software that has been
made available to them and to view
software that has been installed by
CongMgr. The Software Center can also
give the user control over the CongMgr
actions that are likely to impact themmost. For example, a user can dene their
working day and software deployments
and updates can be congured to respect
these and deploy outside of these hours.
1E Shopping provides a much richer
experience with congurable approval
workow, support for system as well as
user based deployments, optional
restriction of deployment if insufcient
licenses exist.
It integrates with other service desk
systems and enables users to rent
applications for a xed period after which
they are automatically put back into the
pool for other users to employ, further
reducing the costs associated withpurchasing unnecessary software
licences.
Note that Shopping allows for quarantine
periods required by some specic
software vendors when reallocating
licensed software.
SP1’s extension of CongMgr to the
device and Macintosh environments
allow organizations to empower their
users to use the solutions they want while
ensuring IT control for security and similar
requirements are maintained.
Client Health and Efciency
There are a number of features in
CongMgr 2012 to ensure clients remain
healthy, operational and efcient. The
reality is that once your hierarchy has
been deployed for a year or more,
somewhere between 5% and 15% of your
clients will experience issues and may
stop communicating with CongMgr if
you don’t intervene.
CongMgr 2012 directly addresses this
problem with CongMgr Client Heath
evaluator. This program (which runs as a
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 11/211E.COM 11
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
scheduled task separate from the
CongMgr client’s service) detects and
remediates the most common causes of
client failure, reporting its activities to
CongMgr.
CongMgr 2012 clients can also
automatically upgrade themselves to the
latest version if it is below the specied
version. You enable this from site settings
and you can congure the maximum
number of days before the client must
upgrade. In addition to this you havecontrol over how the clients’ installation
les are downloaded or not if the
distribution point is on a slow link, and
they can even have a fall-back source
location. (Note: Microsoft recommends
using this as a catch-all after the bulk of
any upgrade has nished.)
To protect clients from malware,
CongMgr 2012 has Endpoint Protection
fully integrated, so no more running two
separate infrastructures. The Endpoint
Protection client is installed using
CongMgr 2012 client settings, so there is
no need to create any packages or
programs.
Endpoint Protection reports and
dashboard are integrated into the
CongMgr console further simplifying
operational tasks. There is even an
out-of-the-box security role for the
Endpoint Protection Administrator,
dening all the necessary rights to enable
the role to be delegated. And with SP1you can initiate Endpoint Protection
activities when you need them using the
new Client Operations feature.
Keeping up to date with software
updates is an important step for ensuring
the health and functionality of a client. A
signicant improvement to management
of software updates in CongMgr 2012
comes with the Automatic Deployment
Rules feature. Administrators can ensure
updates are automatically downloaded,
approved and deployed based on specic
criteria, instead of manually carrying out
tasks. For example, this could be used to
automatically deploy all critical updates
for Windows 7, or to automatically deployrecent signature denitions for System
Center 2012 Endpoint Protection.
If you do not want to deploy
automatically, the rules can be
congured to retrieve compliance
information from client computers for the
software updates without deploying
them.
CongMgr 2012 R2 further enhanced
software updating by allowing you to
specify maintenance windows that are
for software updates only. Software
distribution and task sequences can be
done at other times using other
maintenance windows.
Power Management, introduced in
CongMgr 2007 R3, is enabled by default
in CongMgr 2012 and includes some
minor enhancements. It continues to
enforce the same peak and non-peak
power plan settings for turning off the
display, inducing sleep or hibernatemodes, controlling battery notications
and button actions and scheduling
desktop computers (deliberately not
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 12/211E.COM 12
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
laptops) to wake from sleep. You can now
copy settings from another Collection so
you only have to tweak the differences.
Also, users can now exclude their PC from
power management which you can
report on and over-ride. NightWatchman
Enterprise from 1E lls in the gaps,
enabling scheduled shutdown and
wake-up for all systems, over-riding
processes that prevent computers from
going to sleep and enabling potential
application issues when resuming, to beaddressed, as well as providing other key
features.
Client Conguration
In previous versions of CongMgr, client
settings were congured by site. In
CongMgr 2012, the default client
settings (a bit like a ‘prole’ of settings)
are applied to all clients in the hierarchy.
As well as editing the Default Client
Settings, it is also possible to create your
own settings ‘proles’ that can be applied
to specic Collections. For example, you
may have Installation Permissions
congured globally to allow
Administrators and Primary Users to
initiate software installations, but a
custom client setting can be congured
to allow no users to initiate software
installation for a group of sensitive
computers.
The denition of WMI classes that get
reported through Hardware Inventory isnow managed through the Client
Settings interface in the console. No
more editing SMS_DEF.MOF or
CONFIGURATION.MOF (Microsoft
Operations Framework). What is really
cool with this interface is that new classes
can be added by connecting to WMI on
any computer and browsing to the class
you want to report on. In addition,
custom hardware classes may be
exported to a MOF le and imported in
the same interface. This allows custom
inventory settings to easily be transferred
from a lab environment to your
production environment.
Administrators in Control
Central to simplifying CongMgr
hierarchies is removing the need to have
primary sites to manage subsets of
clients. With CongMgr 2007 you might
have created a separate SCCM site to
manage datacenter clients, another for
your clients in Europe, and another for
the executives’ computers.
The same logic could have applied to
managing their CongMgr objects, such
as packages, task sequences, and
software update deployments. SCCM
2012 gives you new options to put such
controls in place without having to add
primary sites.
The rst set of such controls are what
we’ll call “assignment collections”,
meaning collections used to dene the
clients and users that the administrators
can manage, and then assigned to them.
When setting up administrators in the
CongMgr console you should specifyone or more collections that the
administrators can use.
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 13/211E.COM 13
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
When those administrators are creating
deployments or otherwise managing
clients they can then use those
collections to target the right clients or
users, or use collections that are directly
or indirectly limited to those assigned
collections. Clients or users that are
outside those assigned collections are
not available to them.
The second set of such controls are
“security scopes”. Scopes control which
CongMgr objects the administrators cansee in the CongMgr objects (except for
collections and the clients and users in
those collections, which are limited as
above). So scopes control which
administrators can see applications,
packages, deployments, task sequences,
sites, distribution points, software
metering rules, conguration items, and a
wide variety of similar objects.
When creating such objects they can
assign them only to scopes that they are
limited to, and thus other administrators
cannot see the objects they have created
unless the other administrators are also
assigned to the same scope.
The third and nal set of controls are
“security roles”, meaning the CongMgr
permissions that the administrators have.
There are a number of predened sets of
permissions (roles) and you can easily
create more.
Between these three sets of controls you
can ensure that administrators can do
only what you intend, using only the
objects you want, to the appropriate set
of clients or users. You can be condent
that they won’t do more than intended,
no matter what site they have access to.
However, you should also consider
whether you need a mechanism to
coordinate object creation. For example,
administrators from multiple scopes may
require an Ofce 2013 application, but thesecond administrator to have such a need
might not be able to see that another
administrator has already created one
because they are in different scopes.
With appropriate coordination the
second administrator could ask a senior
administrator to add his scope to the
already existing application, allowing him
to see and use it as well.
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 14/21
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 15/211E.COM 15
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
become unavailable. Elections are
weighted to ensure that the optimal
client is elected as the master. That
weighting especially favors clients that
already have the needed content, but if
none have it yet then the software is
downloaded from a CongMgr
distribution point. As the download
commences, the solution’s peer-to-peer
model immediately fans out the content
to more local clients, enabling fast and
efcient distribution across locations and
subnets.
Nomad’s automated discovery of
network topography enables
administrators to treat multiple subnets
as a single subnet. Nomad has the option
to add a central server role
(ActiveEfciency) that automatically
maintains a list of subnets at all locations.
If a master on a subnet at a location
requires content that is available on a
Nomad client on another subnet at that
location, the master can nd that client
via ActiveEfciency and obtain that
content directly from it. This eliminates
the need for the master to download its
copy over the WAN from a central DP. For
large content or at locations with
especially constrained WAN network
links, this can be quite benecial.
Operating System deployment (OSD)
especially benets from Nomad’s
strengths. Operating System images
themselves are often very large, as ingigabytes, but at the same time clients
will also need a variety of applications,
device drivers, patches, and possibly
other les. Furthermore, users do not
want to be without their computers for
long, so there is limited time to install all
that software let alone download it.
Therefore Nomad’s ability to reliably
provide the content from the LAN
anywhere in your organization is crucial
to your OSD success. You will usually
want to precache that content so that it is
ready for the rst client to be upgraded,
but Nomad readily accommodates
precaching. Nomad also helps withstoring user data (USMT data) and PXE
booting as discussed in the “Server
Reduction” section.
The use of clients for software
distribution is how Nomad can deliver
those enormous reductions in the server
footprint.
Server Reduction
With Nomad, organizations looking to
migrate can design an SCCM 2012
infrastructure with the bare minimum of
distribution points and secondary sites.
Even PXE server roles and state migration
points can be eliminated. Often 95% or
more of those servers can be eliminated.
If you’ve already migrated then you can
consider removing the servers, reusing
them for other purposes in your
organization.
In some cases the servers used for DPs or
even secondary sites are also used for
other purposes, such as le serving orprint sharing. Therefore removing the
need for CongMgr does not allow
removal of the servers themselves.
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 16/211E.COM 16
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
However, the fact that you don’t need to
deployment, and then you don’t need to
maintain them, is a considerable saving in
itself.
Not only does Nomad deliver
transformative cost savings in terms of
capital investment; dramatically reducing
the server footprint also results in
ongoing maintenance cost savings as
well as signicantly reducing the
manpower and time needed to deploy
SCCM 2012.
Because Nomad uses any or all
CongMgr clients and the master
(sharing) role is dynamically elected any
time content is needed, any issues with
Nomad or the computers Nomad is
running on do not prevent Nomad from
functioning. Another computer is elected
and the process continues.
Similarly, any changes in the network do
not affect Nomad because the primary
network activities are local to the subnet
– the subnet address and topology do not
matter to Nomad and thus can change at
any time without adverse effect. If the
content is not available on the subnet
already then Nomad must be able to
contact a distribution point, but that DP
will be one of a small number of DPs,
likely in a central and very stable data
center.
The CongMgr PXE functionality is a
DP-specic function and therefore everyPXE server is also a DP. However, a
Windows Server Operating System must
be used. Nomad’s PXE option can run on
any workstation Operating System such
as Windows 7, Windows 8, or even
Windows XP.
State migration points are useful when
migrating users from one computer to
another or in some cases when upgrading
Operating Systems. However, they are
another role that must be congured and
maintained and considerable disk space
must be provisioned and maintained.
Nomad can serve this purpose in a very
similar manner to how it delivers content– automatically and dynamically.
Many organizations have tried but
struggled to use large numbers of
secondary sites, distribution points, or
branch distribution points. This has often
lead them to come to 1E and Nomad.
Secondary sites and distribution points
can work well enough in small numbers (a
dozen or two), but as the numbers
increase the odds increase even faster
than at any given time a DP or site will be
broken for a variety of reasons.
Therefore your deployments will not be
as successful as they should be, requiring
you to track down those issues and spend
time resolving them. This work can be
very time consuming, and tedious, if you
have a sizable number of servers.
DP and site challenges come in various
forms but often include:
• Hardware issues, including failures, fulldisks, or performance limitations
• Operating System issues, including
compatibility issues
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 17/211E.COM 17
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
• Networking issues such as IP address
changes and subnet changes
o Remote SCCM servers are often
“protected” to serve local clients
only by assigning “boundaries” to
those servers. However, the
networking team may not always
remember to coordinate with the
CongMgr, leaving CongMgr
servers to be assigned the wrong
boundaries
• Coordination issues – the peopleresponsible for the server may not
coordinate with the CongMgr team
when swapping hardware, shutting it
down for maintenance, moving it, etc.
• End-of-life-replacement – even
though this work is predictable, it is
still time consuming to arrange
Bandwidth Efciency
There is a signicant aw in most
bandwidth throttling techniques: they
involve setting percentage limits for IT
trafc across the network. The problem is
that these thresholds are static and result
in the enterprise either not using all of the
available pipeline, or in slowed delivery as
different functions compete for
bandwidth. With Nomad, content is only
downloaded to a location once and from
then on it is shared locally from peer to
peer.
Nomad’s intelligent bandwidth
monitoring and usage management
reacts in real-time to the existing trafc.It eliminates the competition between IT
and business trafc without the need for
scheduling or delaying IT tasks until close
of business. As Nomad is downloading it
will monitor for latency in the
downloading.
If any is detected then that is evidence
that there is contention on the network
links somewhere between the master
and the central DP that it is downloading
matter. Access to routers is not needed
and the topology of the network does not
matter – it is sufcient that Nomad sees
latency. In that case it will immediately
reduce its download rate, allowing theother trafc to take priority on the WAN.
When the latency disappears Nomad will
carefully increase its download rate until
it is downloading as fast as the WAN will
support. In this way the WAN is providing
maximum benet at all times, either to
the other business trafc (as the rst
priority) or to Nomad.
Remote Locations
Nomad is the most reliable way of
distributing software across WANs, even
to poorly-connected and remote
locations, eliminating the need to
establish distribution points everywhere.
Nomad establishes a peer-to-peer
network for distribution of software,
patches, and OS images from SCCM. So
whether the challenge is setting up a new
location or bringing an isolated site into
your network, with Nomad delivery is
easy.
Nomad’s intelligent bandwidthmonitoring and utilization ensures 100
percent reliable content delivery even
where the network quality is poor, such
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 18/211E.COM 18
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
as locations connected via satellite. If you
happen to need to update the software
on an off-shore oil platform you can stand
down the helicopter and rely on Nomad
instead.
1E has even done this for Operating
System deployments. It took a while for
the downloads to complete but the
critical business trafc continued
uninterrupted over the satellite link. The
upgrades then proceeded quickly using
the local copies of the content.
Improved Security
Security and compliance are quite rightly
signicant concerns for the enterprise.
Nomad integrates with and builds on the
inherent security provided by SCCM 2012,
introducing no additional risk to
individual PCs or to the network.
It is not just about not adding risk though
– Nomad actively reduces it. The efcient
distribution of content enables IT to
distribute patches and upgrades during
the day, rather than having to wait until
end-of-day. That keeps your computers’
security up-to-date at all times. That
distinction is especially critical for
zero-day exploits but also for computers
that aren’t online afterhours, such as
laptops.
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 19/211E.COM 19
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
How Else Can 1E Help?
Nomad and 1E’s consulting services (including those of our partners) are central to a
successful CongMgr 2012 migration but 1E is pleased to offer even more options and
has solution to address the following concerns:
• Will you provide all the same software packages from CongMgr 2012 as you did with
CongMgr 2007? If not, then which packages should be migrated?
• Do your users here in 2014 have the same expectations as the users had when you
deployed CongMgr 2007? We often nd that users are much more likely now to
seek out software that will make them more productive and do not understand why
that cannot be an almost instantaneous experience.
• When you have made the investment in the CongMgr 2012 migration is your
organization getting new added value that demonstrates to the business that the
project was truly a step forward?• Are the client computers as available for computer management as much as they
were when you implemented SCCM 2007?
AppClarity
Inevitably some software packages that were useful years ago for business needs at
that time are not so useful now. But which software is that? Of the software in this
case, which is the least used? When migrating packages it seems prudent to start with
the packages that are deployed and used mostly widely, then those that are deployed
widely and fairly well used, and nally those that are not deployed widely nor widely
used. Packages for software that is not used at all should not be migrated no matter
how widely they were previously deployed.
You (or your SCCM administrators) can run reports to identify what software is
deployed and how widely, but determining how well used it is can be challenging.
Enabling software meter rules results in often overwhelming data if done on a large
scale and takes weeks or months to collect. Any other form of software usage data is
hard to relate to specic software products. And with or without usage data, the
reports will be very long, listing tens of thousands of unique software titles, most of
which will be extremely obscure.
1E’s AppClarity addresses these challenges by importing relevant data from
CongMgr, applying sophisticated normalization algorithms, and presenting the
results in user-friendly reports that will give you the information you require. You can
dive as deeply as needed into the data but the summarized form will be sufcient for
most migration purposes. Having identied the most used software in yourorganization, you can consider which packages should be migrated to SCCM 2012 as
legacy packages or converted to applications.
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 20/211E.COM 20
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
Your software asset management or licensing team will also benet from AppClarity
in that they can import their licensing data and readily identify license compliance
issues. They can even address compliance issues in many cases by using AppClarity
to automatically de-install software where it is not being used, bringing it into
compliance.
Shopping
Microsoft has anticipated the rise of user expectations for app stores by including an
Application Catalog in CongMgr 2012. However, the Application Catalog is a minimal
solution lacking key features such as:
• Offering both applications and legacy packages (the latter are not offered)
• Active Directory security groups changes• Resource requests, such as for computers or ofce supplies – only CongMgr
objects can be offered
• A robust approval workow
• Easy integration with ticketing systems or other infrastructure
• Rental of applications, legacy packages, or security group changes, ensuring they
are removed after the user has used them for project-oriented work
• Extensive customization to brand the web site in the same fashion as your other
intranet sites
• License management
1E Shopping offers these and many other features in a very modern web design that
your users will nd to be a pleasure to use. The experience is consistent with what
they have with their consumer devices, reecting well on your IT organization.
NightWatchman
One of 1E’s most popular products is our industry leading power management
solution, NightWatchman. Windows and CongMgr have power management
features but real-world complexities often prevent them from enforcing power
management when they should. Reporting on the savings realized is minimal.
Integrating NightWatchman in your CongMgr 2012 infrastructure will al low your
organization to maximize power savings and minimize its greenhouse gas impact.
The facilities and sustainability teams in your organization will highly value the added
value that CongMgr 2012 brings to the organization when partnered with
NightWatchman.
7/25/2019 How to Get the Most from Your Microsoft Configmgr 2012 Migration via 1E
http://slidepdf.com/reader/full/how-to-get-the-most-from-your-microsoft-configmgr-2012-migration-via-1e 21/21
ARE YOU GETTING THE MOST FROM YOUR CONFIGMGR 2012 MIGRATION?
About 1E
1E is the pioneer and global leader in
efcient IT solutions. 1E’s mission is to
identify unused IT, help remove it and
optimize everything else. 1E efcient IT
solutions help reduce servers, network
bandwidth constraints, software licenses
and energy consumption.
Contact us
UK (HQ): +44 20 8326 3880
US: +1 866 592 4214
India: +91 120 402 4000
Share this
WakeUp
Where power management is effective you might nd that you cannot manage
computers after-hours because they are in a low power state. To minimize this issue
you should use a Wake-on-LAN (WOL) solution. CongMgr includes WOL options,
including a new WOL proxy feature, but technical constraints mean that these options
only work in limited circumstances.
Both Nomad and NightWatchman include WakeUp, a full-featured WOL solution that
does not have technical constraints. You can use WakeUp to maximize the
effectiveness of CongMgr 2012’s features. Either automatically or at SCCM
administrator discretion you can use the CongMgr console to wake computers for
patch management,
We trust this white paper has raised ideas that will make your experience with
CongMgr 2012 even better. If you would like to discuss those ideas further, please
contact us at the numbers below.