VELKOMMEN TIL TECHNET LIVE

SYSTEM CENTER OG FOREFRONT

DEL2

Nicolai Henriksen Chief Infrastructure Architect

Nicolai.Henriksen@ErgoGroup.no

Agenda

• Del 1

– Configuration Manager 2007 SP2 R3

– Forefront Endpoint Protection 2010

– OS Deployment Best Practise

• Del 2

– Windows Update Integrated in SCCM

– Custom Update Publisher

– Desired Configuration Management

USMT • Default Migration Scripts

• User State Migration Toolkit (USMT) 4.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:

• MigApp.XML. Rules to migrate application settings.

• MigDocs.XML. Rules that use the MigXmlHelper.GenerateDocPatterns helper function can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.

• MigUser.XML. Rules to migrate user profiles and user data. MigUser.xml gathers everything in a user’s profile and then does a file name extension- based search of most of the system for other user data. If data does not match either of these criteria, the data will not be migrated. For the most part, this file describes a “core” migration. The following data does not migrate with MigUser.xml: – Files outside the user profile that do not match one of the file name extensions in MigUser.xml.

– Access control lists (ACLs) for folders outside the user profile.

• User Data

• This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate access control lists (ACLs).

• Folders from each user profile. When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.

• Folders from the All Users and Public profiles. When you specify the MigUser.xml file, USMT also migrates the following from the All Users profile in Windows® XP, or the Public profile in Windows Vista® or Windows® 7: Shared Documents, Shared Video, Shared Music, Shared desktop files, Shared Pictures, Shared Start menu, and Shared Favorites.

• File types. When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and migrates files that have any of the following file name extensions: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp, .one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.

• http://technet.microsoft.com/en-us/library/dd560792(WS.10).aspx

• Windows Update integrated

– Mer avansert, flere muligheter,

• Custom Update Publisher

– HP, Dell, Citrix, Adobe,

• Desired Configuration Management

– Gir en helt annen kontroll over maskiner.

Configuration Manager 2012

Migrering In the past the easiest way of migrating SMS 2003 to SCCM 2007 was a side by side migration. With SCCM 2012 things are going to change for the best, the very best!

With the new Migration Feature in SCCM 2012 the CM Team wants to reach the following goals: • Assist with the migration of Objects • Assist with the migration of Clients • Minimize WAN impact • Assist with flattening of the hierarchy • Maximize reusability of x64 server hardware • The migration process of SCCM 2007 to SCCM 2012 can be split up in three phases: Plan,

Deploy and Migrate. Plan: • Assess current environment • Test/Proof of Concept • Design • Requires SCCM 2007 SP2 • SCCM 2012 requirements: Windows 2008 x64, SQL 2008 x64 (sp1 & cumulative update 10)

• Deploy: • Setup initial SCCM 2012 site(s) • Configure Software Update Point and Synchronize Updates • Setup server roles • Make sure the hierarchy is operating and software deployment works • Migrate: • Enable data gathering process to acquire information from the existing SCCM 2007

environment • Migrate objects • Migrate Clients • Migrate DP • Uninstall Configuration Manager 2007 sites • Rinse & Repeat

Migration rules and prepare your environment: • Never use the same Site Code in the SCCM 2007 and SCCM 2012 environments • Always use UNC paths as packet sources for packages • Avoid mixing user and devices in one collection, this is not supported anymore • Don’t use collections with multiple query rules

Microsoft Mobile device Management There are two sorts of mobile device management in SCCM, light mobile device management and depth mobile device management. Single “pane of glass” for managing desktops, servers, mobile devices; Exchange connector Depth management of WinCE 6.0, WM 6.0/6.1, WP 6.5 and Nokia Symbian based devices Secure over the air enrollment Monitor and remediate non-compliant devices Deploy applications and configuration policies to users or devices Mobile VPN is not required anymore to connect to the Device Management environment Exchange Connector for SCCM 2012 Light Mobile device management via Exchange connector: Provides a single pane of glass for all assets in the enterprise Transfers mobile device administrator from exchange to SCCM

Rich inventory and reporting experience Define organization level ActiveSync Policy Device wipe Supports Exchange 2010 and hosted Exchange Supports all EAS capable devices including WP7, Symbian, IOS, Android, Palm, etc.

New Features for software distribution

Application Model

Incorporates all supported software types (MSI, Script, App-v, Mobile Cab) Greatly improved dependency handling Installation requirements rules Installation detection methods Application supersedence Application uninstall User devices affinity Unified monitoring experience Content Management

Distribution Points Groups Content Library Improved content monitoring experience

Application distribution/ deployment process for mobile devices: Create Application with more deployment types. Create / get policy for application required apps

Only required apps are supported Get source from DP Install Report back to MP

Application Deployment The way of deploying applications with System Center Configuration Manager 2012 is different than all earlier versions of SCCM or SMS. In SMS or SCCM you could deploy packages which were scripts, MSI’s or App-v applications. The package included normally one deployment type per application. In the twenty twelve version of SCCM a single application can include multiple deployment types that represent a deployment for a different platform. • Windows Installer (native MSI ) • Script Installer • Microsoft Application Virtualization • Windows Mobile Cabinet • Nokia SIS/JAR • RDP • Terminal Services • Citrix When creating an application with more deployment types, you are able to see all the deployment types, dependencies and requirements in one nice flowchart.

Updates Configuration of Software Updates in SCCM 2012 Superseded update support

Superseded updates: publisher (MS) can expire update Not automatically expire superseded updates You can Change settings at Software Update Point (automatically manage superseded updates or allow to deploy automatically superseded updates (time limited)

Software Update Management (SUM) Admin role with RBA SUM admin can do specific actions (role) on a specific set of objects (scope) You can assign a SUM admin rights to only just the server collection or collection with only workstations to manage their updates.

Client agent settings You can change Client Settings on Collections, so you can create different client settings for for instance Software Update Settings. All Client Agent Settings can be managed for groups of devices.

Migrating from CM07 Migrating all the work you put into CM SUM objects

Reuse templates or searches already built Preserve existing update lists or deployments Persist Update List is Update groups without deployment Deployments are migrated via Collection Migration and are migrated to Update groups and deployments packages

Software Update Point (SUP) configurations for products and classifications must be the same on CM07 and CM12

Deployment Simplified update groups (aggregation of update list)

Improved search to find updates Update groups replace lists and deployments New updates added to groups automatically deployed Groups can be used for compliance or deployed (you can create an update group that is not being deployed but used for compliance)

Use criteria search Every updates has statistics about the updates (installed/(not) required/unknown) Same as WSUS Create from Search a Software Update Group Edit Memberships Create Deployment package The statistics are out of the box in console monitoring, nice feature!

Automated deployments Automatic approval of selected updates Scheduled or manually run Useful for both Patch Tuesday and Forefront Endpoint Protection Updates created by rules are interactive (rules are

Deployments van be enabled/disabled Deployment van be added / removed from groups Updates van be added / removed from groups

Configuration Manager 2012

Integrates mobile device management to deliver unified

client management

Unified and partitioned view for administrators reduces training

costs

Users can connect from anywhere, on any device they choose

Enables IT to provide a flexible work environment and always think user

first

Automatically detects system conditions and configurations to

deliver the most appropriate services

Allow remote access of managed machine

+

System and User-Centric

Administrator Experience • Common look

and feel across

System Center

products

• Improve

discoverability

• Only show what

is relevant

• Complete

scenarios within

the console

Role-Based Administration

• Simplified administration of security permissions – Security Role

• Group sets of permissions together that collectively define an administrative span of control

• e.g. Read Program + Deploy Program + Read Collection + Advertise to Collection = Software Distribution Administrator

• Supports assignment of Security Roles to Users, once in a hierarchy

• Also supports instance level controls

– ConfigMgr provides out-of-the-box Security Roles

– Supports custom Security Roles

• Removes clutter from the console – Supports “Show me what’s relevant to me” based

on my Security Role and Scope

Infrastructure Changes

• ConfigMgr 2007 scenarios where unique primary site

needed:

– Create tiered primary sites so content distribution and client

inventory and status wouldn’t kill my WAN

– Create separate primary sites (or hierarchies!) because different

server and desktop client agent settings are needed

– Create a primary site so individual admins only see the data they

need to see

• ConfigMgr 2012 will allow admin’s to minimize and

consolidate ConfigMgr 2007 infrastructure

– Primaries are needed for scale out only

– Options for content distribution: Secondaries, DPs with

throttling/scheduling, BranchCache, Branch DP

– Client agent settings configurable by collection

– Data Segmentation via Role Based Access Control

Infrastructure Changes

• Improved Distribution Point Groups – Manage content distribution to individual Distribution Points or

Groups

– Content automatically added or removed from Distribution Points

based on Group membership

– Associate Distribution Point Groups with a collections to automate

content staging for software targeted to the collection

• Enhanced investment in SQL technologies

– New replication methods for site to site communications

– Only supporting SQL Server Reporting Services

Client Health

• Server-side metrics covering policy requests, HW & SW Inventory, Heartbeat DDRs and Status Messages

• Customizable monitoring/remediation for:

– Client prerequisites

– ConfigMgr client reinstallation

– Dependent Windows Services

– WMI Repository, Namespace, Class, and Instance health evaluation and repair

• In-console alerts when healthy/unhealthy ratio drops below configurable threshold

Operating System Deployment • Offline Servicing of Images

– Support for Component Based Servicing compatible updates

– Uses updates already approved

• Boot Media Updates – Hierarchy wide boot media – no longer need one per site

– Unattended boot media mode – no longer need to press “next”

– Use pre-execution hooks to automatically select a task sequence – no longer see many optional task sequences

• USMT 4.0 - UI integration and support for hard-link, offline and shadow copy features

Remote Control

Send Ctrl-Alt-Del to host device to regain previous feature parity

ConfigMgr 2012 Readiness Tips • Minimum System Requirements:

– Site servers and site roles require 64-bit OS (distribution points are an exception)

• Branch DPs can run on any 2012-supported client OS

• Standard DPs can run on Windows Server 32-bit but will not support advanced functionality

– Windows Server 2008 (64-bit)

• Distribution points can run on Windows Server 2003

– SQL Server 2008 SP1 with CU6 (64-bit)

– SQL Reporting Services is ONLY reporting solution

• Hierarchy Helpers

– Flatten your ConfigMgr 2007 hierarchy

– Start implementing BranchCache™ with ConfigMgr 2007 SP2

– Start learning about SQL replication

– Best practices - AD Sites for site boundaries, UNC paths for source content, Break up

collections that contain both users and devices

• App Model Helpers

– State based apps need detection methods

• Tip: Use App CI’s today for your apps to learn about this. SCUP is also a good tool for this

– Rules vs Queries

• Tip: Use DCM today to learn how to author settings and rules as experience will be the same

Server Management Suite Enterprise (SMSE)

2 X Kr

Per Host OSE ML + 4 OSE MLs

2 X Kr per Host OSE ML + 4 OSE ML Server Management Suite

0 Kr voksende

Server Management Suite

0 Kr voksende

Server Management Suite

0 Kr voksende

Server Management Suite

0 Kr voksende

Server Management Suite Med SMSE: 2 X Kr

Server Management Suite Datacenter (SMSD)

2.4 X NOK per 2-proc server Ubegrenset OSE MLs

SMSD tillater kunder til å administrere og kontrollere tungt virtualiserte

workloads med full Systems Management evne uten voksende kostnader

2.4 X NOK per 2-proc Ubegrenset OSE MLs

Server Management Suite Datacenter (SMSD)

$0 voksende SMSD

$0 voksende SMSD

$0 voksende SMSD

$0 voksende SMSD

$0 voksende SMSD

$0 voksende SMSD

$0 voksende SMSD

$0 voksende SMSD

$0 voksende SMSD

Server Management Suite Datacenter lisensering spar kostnader for kunder med tung virtualisering

Takk for meg !!

Nicolai.Henriksen@ErgoGroup.no