the most underutilized configuration management features
TRANSCRIPT
Configuration Manager 2012 Features that are often Underutilized
Date: March 25th, 2015Name: Wally Mead
Cireson’s Power of 1InnovationCireson was founded on a simple, powerful idea: to be the forward thinkers on all things surrounding Microsoft System Center. We are 100% dedicated to the System Center community.
Cireson Consulting ServicesProven System Center deployment methodologies that simply deliver. Period.
Cireson StoreBuilt for System Center. Ready for anything. Apps that make System Center wonderful.
Custom Built Apps and FeaturesDo you log an enhancement request with Microsoft Support or Cireson?We can help with adding additional functionality to meet your exact needs. We’re the experts.
TrainingSystem Center training help to maximize the solution and your career.
Your CommunityMicrosoft, System Center Alliance, http://scsm.us/, myITforum, Think HDI, & itSMF.
Travis Wright Microsoft MVP 11 years Program Manager for
SCOM & SCSM 13 Product Releases 14 Patents 2 Gold Star Awards
Chris Ross Microsoft MVP US Service Manager User Group Founder
& Leader (http://scsm.us/) Repeat presenter and speaker at MMS,
TechEd, and Virtual Academy Co-Author of Microsoft Cloud and
Datacenter Management Exams
Wally Mead Microsoft MVP 20+ years Microsoft veteran Product Group Specialist for
Configuration Manager since SMS 1.0
Trainer who has developed and delivered courses on Configuration Manager for over 20+ years
Pete Zerger Microsoft MVP Author and co-author of several books
including “Operations Manager Unleashed”
Frequent presenter at System Center Universe and Tech Ed events
Founder and moderator of System Center Central community
Our Team of Experts
Agenda
Pretty simple agenda – let’s discuss product features that are either not used enough, or not used properly
Demo as much as possible
Hopefully this will incent you to implement, or more correctly use, some of these features
Great ability to control: Who can do what, to whom, on which objects, in the
Configuration Manager Console You designate which user(s) have which security roles,
accessing objects assigned to which security scopes, and managing which collection(s) of resources
This is much better and easier to configure than the Configuration Manager 2007 experience
Now also supported in reports Reports should now reflect what you see in the console This was not the case in previous versions of Configuration
Manager 2012 Now can really use a single primary site in the vast majority
of scenarios
Role-Based Administration
Technically everyone uses RBA, however it is often not used to its full extent Too often assign the ”Full Administrator” security role Too often use the ”All” or ”Default” scopes Too often give access to the root collections
These are all bad things to do You should implement administrative accounts with limited rights, using
unique scopes, managing resources in limited collections
Role-Based Administration (2)
Packages and Programs: Work great, and you know the process inside and out However, there are limitations with them that the
application model was designed to overcome
Applications: You deploy the app and the client determines which ’type’ of
app to use/install Include requirements to reduce collection complexity and
processing requirements on the site server Provide detection methods to facilitate removal of wrappers Can have dependencies which are easier to manage than
program chaining
Application Model
Application Model (2)
Applications: Are state based
Do what the admin intends based on detection on requirements
Including uninstall actions Have alerts for compliance or error percentage Can automatically supersede old app with newer version Support App-V applications
Why don’t people use apps enough? Too often people continue to use packages and programs
because: They are familiar, and don’t want to change They already have their wrappers created They migrated from Configuration Manager 2007, and all
Packages were migrated as Packages
Automatic Deployment Rules
Analogous to WSUS Automatic Approval Rules Automatically deploy ’this’ set of updates, to ’these’ clients, at
’this’ time, in ’this’ manner, using ’these’ distribution points Saves you having to manually run the DSUW every patch cycle
Or more frequently for out-of-band deployments
As of Configuration Manager 2012 R2: You can change the Deployment Package settings You can verify which updates meet your criteria
So can now have ADR deployments enabled by default as you can trust they’ll deploy your desired updates Use the ”Preview” button
Automatic Deployment Rules
Why don’t people use ADRs? Too often, admins don’t trust the results Patching is too important, you want control over the entire process You have a complex patch process – test, dev, pilot, workstation rollout,
and finally servers
Pretty good ability to ’discover’ applications that are installed on clients Multiple sources are used to find applications installed You can also import license information from .CSV or MSVL
Allows you to run reports on imported license counts versus installations Can customize categories, families, and labels for your own needs Can request updates to the catalog
Why don’t people use it? Don’t understand what it does Not easy to normalize the data Discovered that it doesn’t give you what you need Discovered that it doesn’t go far enough
Asset Intelligence
Formerly called Windows Intune Provides the ability to manage your mobile devices using the same
console as your Windows, Mac, Linux/UNIX clients First enroll them (can control which users can enroll devices) Then you get hardware and application inventory Can deploy applications and settings Can deploy profiles (Configuration Manager 2012 R2)
Why don’t people use it? Microsoft came to the game too late Doesn’t have all the features that some of the competitors have Subscription based – don’t like monthly subscriptions
Microsoft Intune Integration
Anti-malware and anti-virus feature
Built into Configuration Manager Just need to install a site role (very light weight) and enable the client
Great dashboard for viewing status of clients
Can customize settings for unique sets of clients
Mac and Linux versions are also available Not integrated into Configuration Manager however
Why don’t people use it? Already have licenses for a 3rd party product Doesn’t compare to 3rd party products
Reviews were not as good as for 3rd party products
Endpoint Protection
Compliance Settings
Great to verify, and potentially remediate, configuration drift from corporate standards Remediation works for Registry, WMI and script detections
Can validate operating system or application settings Has specific settings for various mobile devices with Microsoft
Intune integration Can easily create collections of non-compliant systems
Why don’t people use it? Don’t understand it Tried it in Configuration Manager 2007 and found out that it only identifies non-compliance (only monitors, does not remediate) Don’t want to create your own configuration items and baselines Too hard to create buckets of systems in a specific compliance state
Inventory does a good job at telling you what is installed
However installed does not mean it is used
Metering tells you what is actually used
Now can reconcile ’installed’ versus ’used’ to avoid purchasing excess licenses or determine that you need to purchase additional licenses
Why don’t people use it? It actually is used fairly often, just not enough valid rules Don’t understand it Didn’t understand all the ’OS things’ rules that are created automatically Struggled with the reports that come in the box
Software Metering
If you are not using these features, or not to their full capability, you should be
They can provide great capabilities to assist you in your management of resources using Configuration Manager
Lots of community support out there to help you learn, implement and troubleshoot these features
Plus a whole lot more goodness in Configuration Manager 2012
Summary