PowerPoint Presentation

2012 Microsoft Corporation. All rights reserved.

0 2012 Microsoft Corporation Microsoft ConfidentialSystem Center 2012 Configuration Manager Concepts & Administration WorkshopModule 1: Introduction to System Center 2012 Configuration ManagerPremier Field EngineerMicrosoftYour Name1 2012 Microsoft Corporation Microsoft ConfidentialConditions and Terms of Use

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/Microsoft, Internet Explorer, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.Copyright and Trademarks

2012 Microsoft Corporation. All rights reserved.Microsoft Confidential2 2012 Microsoft Corporation Microsoft ConfidentialOverviewIntroduction to main features of Configuration ManagerProvide a general understanding of the productThis workshop focuses on a subset of the available Configuration Manager featuresRemaining features are covered by other workshops3OverviewThis module introduces the main Configuration Manager features.It is not a technically deep module and is intended to provide you with an overview of different features.Configuration Manager product is a complex product and it is not possible to cover every topic in detail.

3 2012 Microsoft Corporation Microsoft ConfidentialObjectiveThis module will introduce new Configuration Manager features and major changes from the previous version (Configuration Manager 2007)After completing this module you will be able to:Identify the main features of Configuration Manager and their functionalityIdentify which workshops are focused on the topics not covered by this delivery

4IntroductionThis module focuses on a general overview of Configuration Manager features.This module will also cover features that have changed from the Configuration Manager 2007.Not all of the features will be covered in this workshop.At the end of this module, we will provide names of workshops covering other topics.4 2012 Microsoft Corporation Microsoft ConfidentialWhat is Configuration Manager?Part of the System Center 2012 suiteEnterprise class system configuration and management toolIncreases IT productivity by reducing manual tasksProvides effective management of your assetsUtilizes your existing Microsoft technologies and solutions5Microsoft System Center 2012 suite memberAs a member of the Microsoft System Center 2012 suite of management products, Microsoft System Center 2012 Configuration Manager increases IT productivity and efficiency by reducing manual tasks and enabling companies to focus on high-value projects, maximize hardware and software investments, and empower end-user productivity by providing the right software at the right time.

Configuration Manager helps provide effective IT services, by enabling secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices.Utilizing existing Microsoft technologiesConfiguration Manager extends and works alongside your existing Microsoft technologies and solutions. For example, Configuration Manager uses Active Directory Domain Services for:SecurityService location ConfigurationUser discoveryUser devise discovery Configuration Manager now uses SQL Server as a distributed change management database, which integrates, with SQL Server Reporting Services (SSRS) to produce reports that monitor and track the management status.

Windows Management Instrumentation (WMI) is used to store, access, and manage client computer information.

2012 Microsoft Corporation5New Text-Only Slide (Hidden)Microsoft Confidential6Many of the Configuration Manager site system roles that provide management functionality use the web services of Internet Information Services (IIS). Background Intelligent Transfer Service (BITS) and BranchCache can be used to help manage the available network bandwidth.

In addition, Configuration Manager can integrate with: Windows Update Services (WSUS) Network Access Protection (NAP) Certificate Services Exchange ServerGroup Policy, the DNS Server role Windows Automated Installation Kit (WAIK) User State Migration Tool (USMT)Windows Deployment Services (WDS)Remote Desktop and Remote Assistance

2012 Microsoft Corporation6Pillars of Configuration Manager7

Modernize infrastructure and core componentsRedesigned hierarchy and data replicationAutomated content distributionClient Health improvements and auto-remediationRedesigned admin experience and role-based security modelNative 64-bit and full Unicode support

Continue to improve throughout the productSoftware Updates auto-deployment (including Forefront definitions)Automated settings remediationConsolidated and expanded mobile device managementImprovements to OS Deployment and Remote Control

Embrace user-centric managementAllow the administrator to think users firstGive the end user a fitting user experience to find/install software Allow the user to define their relationship to applicationsEmbrace user-centric managementAllow the administrator to think of the end users firstApplications can now be deployed to users depending on what kind of device they are using.Provide end users with a fitting user experience to find/install software End users can now use "Software Center" to search for or request installations, set device affinity, configure business hours, and more.Allow the user to define their relationship to applicationsAs users move from one device to another, this setting provides the ability to deliver the right type of application to the user depending on the device the user is currently using. For example, it is possible to perform a full installation on user's desktop while delivering only the virtualized application when the user logs on to a different PC.Modernize infrastructure and core componentsRedesigned hierarchy and data replicationThe hierarchy in Configuration Manager has gone through dramatic changes. While a single site installation is still an option, now multi-site installation requires a Central Administration Site.The hierarchy is flat, allowing only one tier of Primary sites under CAS with one tier of Secondary sites under the Primaries.Automated content distributionThis is facilitated by Distribution Point Groups and Content Pre-staging.Client Health improvements and auto-remediationClient Health relies on a scheduled task, which runs daily on all clients to determine the status of the client and automatically remediate some common issues.Redesigned admin experience and role-based security modelThe Administrator console is built on the common System Center framework, giving it the same look and feel as other System Center products.Role based security model provides more control over what an administrator can see and do in the console.Native 64-bit and full Unicode supportAll Configuration Manager Server components are now 64-bit.32-bit Configuration Manager Clients are still supported.Configuration Manager supports Unicode characters. Please beware of the SQL code page during installation.More information at: http://technet.microsoft.com/en-us/library/bb632860.aspx

2012 Microsoft Corporation7New Text-Only Slide (Hidden)Microsoft Confidential8Continue to improve throughout the productSoftware Updates auto-deployment (including Forefront definitions)Under Software updates, you can configure "Automatic Deployment Rules" which will then periodically synchronize, download and deploy specific updates to your clients.

Automated settings remediationIf we find a non-compliant setting (i.e. Registry) during Compliance Settings scan, the Configuration Manager client can automatically (re)set the correct values at the client, making it compliant.From the administrator console, this is achieved with selecting a checkbox on the Configuration Items and the Configuration Baseline Deployment properties.

Consolidated and expanded mobile device managementConfiguration Manager now allows you to manage ActiveSync policies as well as Nokia Symbian mobile devices.

Improvements to OS Deployment and Remote ControlWe can now perform offline patching of the images, Task Sequence media works throughout the hierarchy, Easier use of the pre-execution hook,

More information at: http://technet.microsoft.com/en-us/library/gg682108.aspx#BKMK_OSDIntroWhatsNew

With Remote Control, you can connect to unattended machines.You can also send Ctrl-Alt-Delete to the controlled machines.Clipboard is shared in both ways (works for text, files, ect)The User Account Control issues have been fixed, and the mirror-driver removed.

More information at: http://technet.microsoft.com/en-us/library/gg699359.aspx

2012 Microsoft Corporation8Configuration Manager ConsoleThe System Center UIWorkspaces and Ribbon SearchProvider

9Administration ConsoleThe next few slides will cover the new System Center 2012 Configuration Manager console improvements. 2012 Microsoft Corporation9System Center UINo more Microsoft Management ConsoleUses the System Center UI Framework for common look and feel across all System Center 2012 productsMain point of administrationUsed to configure sites, clients, and to run/monitor management tasksLaunch secondary consoles (Resource Explorer, Remote control, Out of Band Management)Can be installed on additional servers and workstationsAccess can be restrictedAdministrators see only the objects they are allowed to seeTemporary nodes for easier navigation

10Common UI frameworkAs a member of System Center 2012 product suite, Configuration Manager uses the common User Interface framework that will give administrators a common look and feel across all System Center 2012 products.Configuration Manager is no longer using the Microsoft Management Console technology.Main point of administrationThe Configuration Manager Console is the main point of administration that allows the user to configure and control most aspects of Configuration Manager.For specific management tasks it will start secondary consoles that can be used to accomplish various tasks. Some examples are Resource Explorer, Out Of Band Management Console or Remote Control.The Configuration Manager Console can be installed on additional servers or workstations. It requires .Net 4.0 and can be installed from the Configuration Manager installation media.Console AccessAccess to the console can be restricted through Configuration Manager in such a way, that the person using it will only see the objects and nodes they are allowed to administer.Temporary nodesFor easier navigation and administration, temporary nodes are created in the console. Those nodes disappear when the console restarts. 2012 Microsoft Corporation10Workspaces and RibbonEverything is placed under one of four workspaces:AdministrationSoftware LibraryMonitoringAssets and Compliance

The ribbon provides context sensitive access to settings and features11

WorkspacesTasks and administration is placed under four workspaces bottom left corner:Administration workspace allows for you to configure the Configuration Manager hierarchy and settings.Software Library workspace is where you can create and deploy software and updates.The monitoring workspace will help you monitor your Configuration Manager environment.Assets and Compliance workspace contains User and Device collections as well as Compliance Settings.

RibbonThe ribbon (on top) exposes context sensitive actions which are available for the currently selected object.

2012 Microsoft Corporation11SearchA special search tab is present on the ribbon

12

SearchThe Search tab on the ribbon allows you to search for any object inside the console.You can combine different search criteria to filter out the results.

2012 Microsoft Corporation12Warning: Be careful when using the global search option as it can be very resource intensive!SearchUse of temporary nodes in the navigation pane These are automatically created and selected as a result of actions that you take and that do not display after you close the console13

Temporary nodesSearch results are persisted in a temporary sticky node in the UI.The results of your search will create a temporary node in the console for easier access. Those nodes can be reused and stay in the console until it is closed.

2012 Microsoft Corporation13ProviderMaps Classes and Instances to Tables and Rows in the databaseMultiple providers for a single site for either load balancing or redundancyNot intended for high availability scenariosImplements role based securityProvider can be installed by running setup

14SMS ProviderThe SMS Provider is a WMI provider that assigns access to the Configuration Manager database at a site. For better performance, it is recommended to place with Provider where there is a good connection with to your SQL server.The Central Administration site and each Primary site requires at least one SMS Provider.You cannot install the Provider to a virtual SQL server instance of a cluster.If the Configuration Manager console is running on a computer other than the SMS Provider computer, you require permissions to activate a DCOM server on the SMS Provider computer. By default, Remote Activation is granted only to the members of the built-in Administrators group. You can allow the SMS Admins group to have Remote Activation permission.The SMS Admins group is a local group that is automatically created during Configuration Manager installation.

More information: http://technet.microsoft.com/en-us/library/gg712282.aspx 2012 Microsoft Corporation14Sites and HierarchyCentral Administration site (CAS)Must be installed first in a hierarchyOnly supports one level of child Primary sites

Primary siteStandalone for smaller deploymentsRequires CAS to join a hierarchy

Secondary siteExtends a Primary siteMainly used to compensate for slow network connections15

One per hierarchyMax. 25Max. 250 per Primary siteA change in architectureSystem Center 2012 Configuration Manager architecture has changed significantly from previous versions of the product.The hierarchy in Configuration Manager is now flatter and much more rigid.It is important to spend more time designing the hierarchy taking into account possible future expansion.

Central Administration SiteWhen setting up a Configuration Manager hierarchy, the Central Administration Site (CAS) is the first one you must install.It is always on the top of the hierarchy and cannot be joined or moved to an existing hierarchy.You can only have one CAS per hierarchy.CAS has no clients assigned to it nor does it process client data.CAS can support up to 25 Primary child sites simultaneously and up to 400,000 clients in the hierarchy (assigned to Primary sites). You need SQL Server Enterprise to support the maximum number of clients.

Primary sites Attach directly to CAS.You cannot move a Primary site to another parent (CAS).Primary sites can have up to 100,000 clients attached to them.

Secondary sitesEach Primary site can have several Secondary sites attached to it.As with Primary sites, you cannot move the Secondary site to a different parent.Secondary site can only be installed (pushed) from the Configuration Manager console.Secondary sites are used to host Site System Roles to offload WAN link traffic.Clients communicate with the Secondary sites, but they are never assigned to them. 2012 Microsoft Corporation15Sites and HierarchyStandalone single Primary site for smaller deploymentsInstall Primary site firstCannot be added to a hierarchy laterSupports Secondary sites

16

Standalone siteIf you have a smaller environment and only want to deploy one site, you can install a Primary site without a CAS.You can assign clients to a standalone Primary site as well as attach child Secondary sites under it.

2012 Microsoft Corporation16Note: This configuration does not allow you to join a hierarchy later. Comparison of Configuration Manager 2007 and Configuration Manager hierarchyConfiguration Manager 2007 hierarchyPrimary sites can be moved around the hierarchyPrimary sites can be nestedA Primary site is needed to facilitate different client agent settings or as a security boundaryConfiguration Manager hierarchyA CAS is needed for a hierarchyFlat hierarchy with only one level of Primary sitesClient agent settings are managed through custom settings applied to Collections

17Plan the designIf you were used to designing or working with Configuration Manager 2007 you need to take extra care to design the new Configuration Manager hierarchy properly.While Configuration Manager 2007 was quite flexible with hierarchy designs, allowing you to move Primary sites around the hierarchy, or even joining and disjoining hierarchies, this is no longer the case with System Center 2012 Configuration Manager.Once a hierarchy is set, the only changes you can make is installing or removing a site and even this has its pitfalls.

Primary sites number is limitedIn the lifetime of a CAS you can attach only 127 Primary sites. Each Primary site has a unique ID and (re)installing a site it uses one of the 127 available IDs. After this pool is exhausted you will not be able to attach any more Primary sites to the CAS.With the new take on security, client settings and content replication Configuration Manager allows you to use much fewer sites than previously. 2012 Microsoft Corporation17Configuration Manager uses Site System roles to support different management operations at each site Each Site Server can host different Site System rolesSite System role can be installed on the Site Server or on another server to manage performance

Site System servers and Site System roles18Microsoft Confidential18

Site System Servers and RolesEach Site Server hosts different roles.Site System roles can be installed to the Site Server or spread out to other servers for performance or resiliency (Multiple Distribution Points, or Management Points).You can add or remove roles from the servers using the Administration Workspace -> Site Configuration -> Servers and Site System Roles node. 2012 Microsoft Corporation18Site System Servers and Site System RolesOne Site Server or System can host roles for one siteSome site system roles are automatically installed and assigned to the server on which Configuration Manager Setup has runAn example of these site system roles is the Site Server roleCannot transfer these roles to another server or remove without uninstalling the siteSome roles no longer exist but have been added to other roles to make them more capable e.g. PXE Service Point is now a function of a PXE-Enabled DP19Site System Servers and RolesEach Site Server or Site System can only host roles for one site. For example, you cannot install Distribution Points for multiple sites on the same file server.While you can install databases for multiple sites on the same SQL server, they must be hosted in separate instances.During installation of Configuration Manager Site Servers, some roles are automatically installed.Because CAS doesn't process client data, it can host only a limited set of roles.There are some roles that can only be installed on the CAS. 2012 Microsoft Corporation19Site System rolesSite serverA site server is the computer on which you run Configuration Manager Setup and it provides the core functionality for the siteSite database serverA site database server hosts the SQLServer database to store information about assets and site dataComponent server A component server runs ConfigurationManager services and is automatically installed with all site systems except the Distribution PointManagement point (MP)A Management Point provides policy and content location information to clients. It also receives configuration data from clientsDistribution Point (DP)Contains source files for clients to download, such as application content, software packages, software updates, OS and boot images. You can control content distribution by using bandwidth throttling and scheduling options20Site System roles listThis slide briefly explains Site System Roles. 2012 Microsoft Corporation20Site System roles (continued)Reporting Services Point (RSP)Integrates with SQL Server Reporting Services to create and manage reports for Configuration ManagerState Migration Point (SMP)The SMP stores user state data when a computer is migrated to a new operating systemSoftware Update Point (SUP)A SUP integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clientsSystem Health Validator Point (SHV)The SHV validates ConfigurationManager Network Access Protection (NAP) policies. It must be installed on a NAP Health Policy serverFallback Status Point (FSP)FSP helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management pointOut of Band Service Point (OOB)OOB service point provisions and configures AMT-based computers for out of band management21Site System roles listThis slide briefly explains Site System Roles. 2012 Microsoft Corporation21Site System rolesAsset Intelligence synchronization pointAn AI synchronization point connects to System Center Online to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalogApplication Catalog Web Service PointAn Application Catalog Web Service Point provides software information to the Application Catalog website from the Software LibraryApplication Catalog Website PointAn Application Catalog website point provides users with a list of available softwareEnrollment Proxy PointAn Enrollment proxy point manages enrollment requests from mobile devices so that they can be managed by Configuration ManagerEnrollment PointAn Enrollment Point uses PKI certificates to complete mobile device enrollment and provision AMT-based computers22Site System roles listThis slide briefly explains Site System Roles.

2012 Microsoft Corporation22Site System role placement23RoleCASChild Primary siteStandalone Primary siteSecondary siteScopeApplication Catalog web service pointNoYesYesNoHierarchyApplication Catalog website pointNoYesYesNoHierarchyAsset Intelligence synchronization point(1)YesNoYesNoHierarchyDistribution point (2,3)NoYesYesYesSiteFallback status pointNoYesYesNoHierarchyManagement point (2,3,5)NoYesYesYesSiteEndpoint Protection pointYesNoYesNoHierarchyEnrollment pointNoYesYesNoSiteEnrollment proxy pointNoYesYesNoSiteOut of band service pointNoYesYesNoSiteReporting services point (2)YesYesYesNoHierarchySoftware update point (4,6)YesYesYesYesSiteState migration point (2)NoYesYesYesSiteSystem Health Validator point (2)YesYesYesNoHierarchyPlacement of rolesThis table shows the Site System role placement and its scope.For more information visit: http://technet.microsoft.com/en-us/library/gg712282.aspx

RemarksConfiguration Manager supports only a single instance of this site system role in a hierarchy.Configuration Manager supports multiple instances at each site, and at multiple sites in a hierarchy.When you install a secondary site, a management point and a distribution point are by default installed on the secondary site server.Configuration Manager supports only a single instance of this site system role per site, but supports multiple instances in a hierarchy.This role is required to support clients in Configuration Manager. For more information about the site system roles that support clients in Configuration Manager, see Determine the Site System Roles for Client Deployment in Configuration Manager. http://technet.microsoft.com/en-us/library/gg681976.aspxWhen your hierarchy contains a central administration site, install a software update point at this site that synchronizes with Windows Server Update Services (WSUS) before you install a software update point at any child primary site.When you install software update points at a child primary site, configure it to synchronize with the software update point at the central administration site.

2012 Microsoft Corporation23Site BoundariesBoundary Is a network location on intranetDefined once per hierarchyNeeds to be part of a Boundary Group for site assignment

Boundary can be any of the followingIP rangeIP subnetAD siteIPv6 prefix24

What is a boundaryBoundaries in Configuration Manager are network locations on the intranet that can contain devices you want to manage.Each boundary is defined once per hierarchy.Boundaries can be defined as an IP subnet, IP range Active directory site or IPv6 Prefix.Clients use those boundaries to locate content and assign themselves to a specific Configuration Manager site.For client site assignment, the boundary must be a member of a boundary group.

You can get more information at: http://technet.microsoft.com/en-us/library/gg712679.aspx

2012 Microsoft Corporation24Boundary GroupsSite AssignmentClients join site based on boundary group containing clients current network locationOverlapping is not supported for site assignmentFallback Site New feature added so clients that dont belong to any of the site boundaries/boundary groups will be assigned to Fallback Site. This is completely different than Fallback Status PointContent locationAssociate DPs and SMPs with one or more boundary groupsOverlapping is permitted for content location (DP, SMP)Network speed is defined for each DP in a boundary group25What are Boundary GroupsBoundary Groups are used in Configuration Manager to manage network locations.Each Boundary can be assigned to a boundary group.

Boundary groups and Site assignmentClients will join a particular site based on the boundary group containing a boundary with client's current network location.Be careful not to overlap Boundaries used for site assignment as your clients might join the wrong site.

In Configuration Manager 2007, automatic site assignment would fail if the client was not in a specified boundary. New in System Center 2012 Configuration Manager, if you specify a Fallback Site (an optional setting for the hierarchy) and the client is not in a boundary group, automatic site assignment succeeds and the client is assigned to the specified Fallback Site.

Boundary Groups and content locationFor client to locate content (applications, software updates, state migration points, ect) you need to associate a boundary group with one or more Distribution Points or State Migration Points.

For content location, you are allowed to overlap boundaries which, enables the clients to select the closest content.

You should consider creating two sets of Boundary groups, one for Site assignment and one for Content location. 2012 Microsoft Corporation25Comparison of Configuration Manager 2007 and Configuration Manager boundariesConfiguration Manager 2007 boundariesBoundaries are site specificOverlapping is not supportedNetwork speed is set per boundary

Configuration Manager boundariesBoundaries are no longer site specificBoundary Groups must be used for site assignmentOverlapping is permitted for content locationNetwork speed is set per DP26Warning: Overlapping boundaries between Configuration Manager 2007 and System Center 2012 Configuration Manager breaks Configuration Manager 2007 Clients. 2012 Microsoft Corporation26Clients and Client HealthDiscovering clientsInstalling clientsMonitoring clients27In the next few slides we will present an overview of client discovery, installation and monitoring. 2012 Microsoft Corporation27Discovering ClientsWhat is a Discovery Method?Configuration Manager uses Discovery to add new resources (users or computers) or information about existing resources (group or OU membership) to the Configuration Manager databaseCurrently there are 6 discovery methods in Configuration Manager28

Client discovery:Before clients can be managed they need to be discovered.Configuration Manager uses different discovery methods to add new resources to the database.

Discovery methods:Active Directory System Discovery discovers computer accounts from specific locations in Active directory.Active Directory User Discovery discovers user accounts from specific locations in Active directory.Active Directory Group Discovery replaces previous User and Security Group discovery methods and discovers Local, global, and universal security groupsThe membership within these groupsThe membership within distribution groups from specific locations in Active directoryNetwork Discovery searches the network for devices that have an IP address. This is the least desired discovery method as it will also discover devices that cannot be managed with Configuration Manager such as routers or printers.Use this method for well defined small subnets that might include non domain joined computers (i.e. DMZ computers).Heartbeat Discovery is used by the clients to update their discovery records in the database.Active Directory Forest Discovery is a new discovery method that can:Discover Active Directory Sites (and create Boundaries for each site)Publish Configuration Manager information to the whole forest (if enabled)

For more information take a look at: http://technet.microsoft.com/en-us/library/gg712308.aspx

2012 Microsoft Corporation28Discovering Clients (continued)Delta DiscoveryEnhances the discovery capabilities by discovering only new or changed resources in AD instead of performing a full discovery cycleDiscovery can detect the following new resource types:Computer objectsUser objectsSecurity group objectsIt is only available for the following discovery methods:Active Directory System DiscoveryActive Directory User DiscoveryActive Directory Group DiscoveryMicrosoft Confidential29Delta DiscoveryThe interval by which Delta Discovery searches for new resources can be configured to be a short interval as it is only discovering new resources. This does not affect the performance of the site server as much as a full discovery.

Delta Discovery does not replace other Configuration Manager discovery methods.

Delta Discovery is enabled by default in Configuration Manager. When it is enabled, the default schedule is every 5 minutes.

Resource typesDelta Discovery can detect the following new resource types:New or changed Computer objectsNew or changed User objectsComputers or Users added or removed from Security group objectsChanges to System group objects

29 2012 Microsoft Corporation Microsoft ConfidentialComparison of Configuration Manager 2007 to Configuration Manager DiscoveryConfiguration Manager 2007 DiscoveryDiscovery Data Records (DDRs) are processed at each site in hierarchy (child -> parent -> central)Discovery information is not shared

Configuration Manager DiscoveryEach DDR is processed only once at CAS or a Primary SiteDiscovery information is global dataNew method: Active Directory Forest DiscoveryNo more System Group Discovery (replaced by AD Group Discovery)Stale computers can be filtered outDelta Discovery is improved

30 2012 Microsoft Corporation30Client Installation31Client Installation MethodDescriptionAutomatic Client UpgradeClients can now be automatically upgraded. Refer to the link under Notes.Upgrade installationUses Configuration Manager application management to upgrade clients to a newer version. You can also use Configuration Manager 2007 software distribution to upgrade clients to Configuration Manager.Client push installationUse this method to automatically install the client to assigned resources and to manually install the client to resources that are not assigned.Software update point installationUsed to install the client using the Configuration Manager software updates feature.Group Policy installationUsed to install the client using Windows Group Policy.Logon script installationUsed to install the client by means of a logon script.Manual installationUsed to manually install the client software.Client ImagingUsed to pre-stage the client installation in an operating system image.Client installation optionsThere are several options for installing Configuration Manager client to the servers or workstations.

Automatic Client Upgrade: http://technet.microsoft.com/en-us/library/2ad4b21a-43bd-434e-b3bb-fc8744da7e9c#BKMK_upgrade

More information at: http://technet.microsoft.com/en-us/library/gg682132.aspx 2012 Microsoft Corporation31Client AssignmentManual Site Assignment Use a client installation property that specifies the site codeIn Control Panel\Configuration Manager, specify the site code Automatic Site Assignment Based on BoundariesWhats New in Configuration Manager for Site Assignment?For automatic site assignment a Boundary must be configured in a Boundary Group that is configured for site assignmentYou can specify a fallback site for the hierarchy if the clients network location is not in a Boundary GroupClients can now download site settings from the Management Point after they have been assigned to the siteMicrosoft Confidential32What is Client AssignmentAfter a Configuration Manager client is installed, it must join a Configuration Manager primary site before it can be managed. The site that a client computer joins is referred to as its assigned site. Clients cannot be assigned to a central administration site or a secondary site.

The assignment process occurs after the client is successfully installed and determines which site manages the client computer. However, you can install a client and not immediately assign it to a site, but in this scenario, the client will be unmanaged until site assignment is successful. For more information about how to install a client, see How to Install Clients on Computers in Configuration Manager. http://technet.microsoft.com/en-us/library/gg712298.aspx

You can either directly assign a client to a site, or you can use automatic site assignment where the client automatically finds an appropriate site based on its current network location, or you can assign the client to a fallback site that has been configured for the hierarchy.

After the client is assigned to a site, it remains assigned to that site, even if the client changes its IP address and roams to another site. Only an administrator can later manually assign the client to another site or remove the client assignment.

If the client fails to assign to a site, the client software remains installed, but will be unmanaged.Using Manual Site Assignment You can manually assign clients to a site by using the following two methods:Use a client installation property that specifies the site code.In Control Panel -> Configuration Manager -> Advanced tab, specify the site code.Using Automatic Site Assignment Automatic site assignment can occur during client deployment, or when you click Find Site in the Advanced tab of the Configuration Manager Properties in the Control Panel. The Configuration Manager client compares its own network location with the boundaries that are configured in the Configuration Manager hierarchy. When the network location of the client falls within a boundary group that is enabled for site assignment, the client is automatically assigned to that site.

If the client cannot find a site that is associated with a boundary group that contains its network location, and the hierarchy does not have a fallback site, the client retries every 10 minutes until it can be assigned to a site.32 2012 Microsoft Corporation Microsoft ConfidentialClient StatusClient Status is a built-in feature of Configuration ManagerAdministrators can be alerted to potential client health issuesClients conduct a daily self checkAuto-remediate dependencies Reports and trending33

Client Status featureClient Status is now a built-in feature of Configuration Manager. You can access if from the Monitoring workspace.Configuration Manager can alert Administrators to potential client health issues and allow them to react.Alerts are set on collections based on thresholds configured by administrators.

Client Self-checkClients conduct a daily self-check. This is done by running a scheduled task on the clients. The task runs CCMEval.exe which is installed on systems when the Configuration Manager client is deployed.The task runs between midnight and 01:00. If the task is missed due to sleep or powered down computer, it will run as soon as possible.The Task Scheduler service must be running on the clients.Results are returned as State Messages to the Management point. If this fails and there is a Fallback Status Point (FSP) if available, then the state will be sent to the FSP.Client Health States classifications:Pass and ActivePass and InactiveFail and ActiveFail and Inactive

Automatic remediationTypical client problems that are detected are automatically remediated. For example:WMI repositoryWMI serviceSMS agent host serviceBITs version and service.NET versionMP accessibilityConfiguration Manager client installedForefront End Protection client and serviceWindows Update agent service

ReportingYou can get reports and trending information on the state of your clients from Client Status home page and Reporting.Users can also subscribe to detailed reports for more data regarding client health and activity. 2012 Microsoft Corporation33InventoryHardware InventoryQueries WMI for hardware dataCan be customized per site or per collectionCustomize HW Inventory without manually editing .MOF files as they no longer exist.

Software InventoryScans hard drives for file typesCan also collect copies of files during inventory cycleCan be customized per Site or per Collection34

Hardware InventoryHardware Inventory client agent is a key functionality of Configuration Manager.Many other features depend on Hardware Inventory being collected from the clients.Hardware inventory queries Windows Management Instrumentation (WMI) repository on the client to gather data about the client.You can customize the classes that should be collected per site or per collection. This can be done from the console without manually editing the SMS_DEF.MOF or CONFIG.MOF files as in previous versions.Use Queries, Reports and Resource explorer to view Hardware Inventory data.More information about Hardware Inventory: http://technet.microsoft.com/en-us/library/gg682093.aspx

Software InventorySoftware Inventory client agent collects file information from the clients.It collects basic file information such as size, timestamp, location, If desired Software Inventory can also collect files from the clients and store them on the site server.You can customize the classes that should be collected per site or per collection.More information about Software Inventory: http://technet.microsoft.com/en-us/library/gg682126.aspx 2012 Microsoft Corporation34Asset Intelligence (AI)Asset Intelligence lets you inventory and manage software license usage by using the Asset Intelligence catalogUses AI Synchronization Point to download catalog60+ reports2 new Maintenance TasksCheck Application title with Inventory informationSummarize installed software data35

Asset Intelligence featureAsset Intelligence lets you retrieve inventory data and manage software license usage throughout the enterprise by using the Asset Intelligence catalog.It uses AI Synchronization point role (installed on CAS or standalone Primary) to periodically pull the latest AI Catalog from Microsoft.Asset Intelligence uses Hardware Inventory agent to perform scan for additional classes. Those classes are enabled from the console without editing the SMS_DEF.MOF file.You can use more than 60 reports to display Asset Intelligence information.

Database MaintenanceTwo new database Maintenance Tasks:Check Application Title with Inventory Information checks that the software title reported in software inventory is reconciled with the software title in the Asset Intelligence catalogue.Summarize Installed Software Data provides the summary information displayed in the Inventoried Software node under the Asset Intelligence node.

More information on Asset Intelligence can be found at: http://technet.microsoft.com/en-us/library/gg699382.aspx

2012 Microsoft Corporation35Software MeteringMonitor and collect software usage data from Configuration Manager clientsYou can view the data via Collections, Queries or ReportsMetering rules can be created manuallyor automatically

36

Software Metering featureSoftware Metering client agent tracks process usage on the clients.

Software Metering tracks process start and stop times as well as who has started it. It does not record how the process has been used. So, we can only know that a user has started an application and how long it was open, but not whether it was actually in use.

To collect this information you need to configure metering rules.

You can also let Configuration Manager automatically create metering rules for you based on which software was used the most in a specific number of days.

Software metering reports can be used to save your company licensing money, by taking the licenses away from people who are not using specific software.

More on TechNet: http://technet.microsoft.com/en-us/library/gg682017.aspx 2012 Microsoft Corporation36Remote ControlUse Remote Control to remotely administer, provide assistance, or view any client computer in the hierarchyThree ways to connect:Remote ControlRemote DesktopRemote AssistanceNew FeaturesPass CTRL+ALT+DEL to clientDisable client mouse and keyboard during Remote Control sessionsRemote Tools are configured in the Default Client Settings or in Custom Device Settings linked to a CollectionStart Remote Control Viewer from a command line

37Remote Control AgentRemote Control client allows administrators to connect to remote clients' desktop.Administrators can connect to AD joined machines as well as workgroup machines.

Remote Control MethodsThis can be achieved in three ways:Remote Control is the functionality built into Configuration Manager.Remote Desktop: This uses the built-in RDP functionality of Windows OS.Remote Assistance is also the built-in RDP functionality of Windows OS.

Features of Remote ControlAmong other things, Remote Control allows you to:Start the Remote Viewer from command line or from the console. It supports multiple monitors, scaling of the picture and changing of the color depth. As in SMS 2003, you can now send the "gold key" (CTRL-ALT-DEL) combination to the clients.Remote Control client settings can be configured per site or collection.Automatically configure Windows firewall to open the required port TCP 2071.You can lock the keyboard and mouse of the remote computer.

Remote Control on TechNet: http://technet.microsoft.com/en-us/library/gg682062.aspx 2012 Microsoft Corporation37Role Based AdministrationNew security model that simplifies administrationSecurity RolesSecurity ScopesCollections

38

New security modelSystem Center 2012 Configuration Manager introduces role-based administration to centrally manage hierarchy-wide access rights for all sites and site settings.Administrators now see only what they have access to.

RBA benefitsRole-based administration provides the following benefits: Sites are no longer administrative boundaries. You create administrative users for the hierarchy and assign security to them one time only. You create content for the hierarchy and assign security to that content one time only. All security assignments are replicated and available throughout the hierarchy. There are built-in security roles to assign the typical administration tasks and you can create your own custom security roles. Administrative users see only the objects that they have permissions to manage. You can audit administrative security actions.

Roles, Scopes and CollectionsRBA is implemented through Roles, Scopes and Collections:Security Roles group typical administrative tasks. It contains permissions for objects. (i.e. Create Package). Many Security roles are already built-in. You can customize the roles.Security Scopes replace individual instance rights. They provide administrative users with access to securable objects. All securable objects must be assigned to one or more security scopes.Two scopes are built-in (All and Default) and you must create your own scopes to restrict objects.Collections can be assigned to security scopes to limit what administrative users can see.

Report securityRole Based administrative model does not control Configuration Manager report security. This is handled through SQL Reporting Services.

More on TechNet: http://technet.microsoft.com/en-us/library/gg712284.aspx 2012 Microsoft Corporation38CollectionsCollections represent logical groupings or resources either users or devices (not both in a single collection)Sub collections are no longer used and they are replaced with foldersAdded new functionality - Include and exclude collection rules Collection limiting All collections must be limited to another collectionConfiguration Manager uses WMI query language to retrieve data from the database to populate Collections and QueriesContain resources from all sites in the hierarchyCan be restricted using RBA

Microsoft Confidential39What are Collections?Collections in Configuration Manager represent logical groupings of resources. Those can be either users or devices, but not both in the same collection.All Collections must be limited to another collection (for example All Systems).You cannot nest collections, however you can create a hierarchy using folders.The Console global search function now makes it easier to find collections.Collections contain resources from all sites in the hierarchy.Access to Collections can be restricted using RBA.

Collections are used for:Application ManagementDeploying Compliance settingsInstalling Software UpdatesManaging Client settings

Collection RulesCollections can be populated using Collection rules:Direct Rule: Allows you to manually choose which resources will be members of a collection.Query Rule: Dynamically updates members of the collection based on the WMI Query Language (WQL).Include Collections Rule: Lets you include the members of another collection.Exclude collections Rule: Lets you exclude the members of another collection.

Default CollectionsThere are only a few default collections in Configuration Manager:All User GroupsAll UsersAll Users and User GroupsAll Desktop and Server ClientsAll Mobile DevicesAll SystemsAll Unknown Computers39 2012 Microsoft Corporation Microsoft ConfidentialComparison of Collections in Configuration Manager 2007 to Configuration ManagerConfiguration Manager 2007 Collections:Collections can hold User and Computer resourcesUse of subcollections

Configuration Manager Collections:Collections can hold user or computer resources, not bothSubcollections are no longer usedInclude and exclude rulesUse RBA scopes to limit accessCollection limitingImport to Collections

40Collections have changed significantly from previous versions. 2012 Microsoft Corporation40System-centric Versus User-centric Management41User-Centric Client Mgmt of TomorrowTargeted at the end userImplicit and intent-basedSoftware deployment is about delivering the right app in the right way to the right user under the right conditionEnable the user to be productive anywhere and anytimeMaintain IT control while balancing the needs for end user empowerment Systems Management of TodayTargeted at the deviceExplicit and action-basedSoftware deploymentOptimized for systems management inside the firewallOptimized for tight IT control, minimal end user involvement

New Approach to ManagementIn System Center 2012 Configuration Manager, we are moving away from the established Computer-centric management that we know today.

Just as the user base has matured, so did Configuration Manager.

In the past, users were just the necessary evil sitting behind our precious computers. It was the computers that we managed, not the users but this has changed.

The way users work and interact with devices has changed significantly. Users are more mobile now and are using an array of different devices, based on their location. A user might use his PC while in the office, a notebook at home and his Mobile device or tablet while traveling.

Those users are requiring the same applications regardless of the device they are using.

The new Configuration Manager User-centric client management can help administrators achieve this goal.

With the Application deployment model, we are targeting different types of software to users based on the device they are currently using.

2012 Microsoft Corporation41Application ManagementSwitch to user-centric from system-centric managementManage Applications, not setup scriptsThink "User first"Define User Device Affinity (UDA)Application CatalogA website that allows users to browse for and request softwareRequires Application Catalog roleSoftware CenterInstalled with the Configuration Manager clientUsers run this from the Start menu to request software

42Application ModelIn Configuration Manager 2007, we used to deploy packages. Those were seldom anything more than installation scripts that were targeted to devices. If a Package was targeted to a user, we did not distinguish what device he is using at the moment. This has changed with the new Application model.

Types, Rules and Affinity:Each Application can have multiple Deployment types and Requirement Rules.Deployment type contains files and commands necessary to install the software. An Application can contain multiple deployment types (local installation, virtual application, mobile device version, ...)Requirement Rules define conditions that specify how an application is deployed to the clients. You can specify that under certain conditions an application will not be installed, but instead a virtual application will be deployed.User Device Affinity allows administrators (or users) to associate a User with a specific device. This allows us to target software to users rather than devices. For example, we would perform a local installation on the users primary device and only as a virtual application if the user is logged on to a different computer.

Application Catalog Application Catalog is a self-service application website, which allows users browse for and request software or wipe their mobile device.It requires Application Catalog role to be installed.

Software Center Software Center is a new client program that allows users to:Browse for and install software from the Application Catalog.View their software request history.Configure when Configuration Manager can install software on their devices.Configure access settings for remote control, if an administrative user enables remote control.It is automatically installed on client computers when you install the Configuration Manager Client and includes the Application Catalog link.

Read more at: http://technet.microsoft.com/en-us/library/gg682125.aspx 2012 Microsoft Corporation42Software Updates ManagementAuto Deployment Rules (i.e. similar to auto approval method in WSUS)Provides administrators with tools to track and apply software updates to client computersBuilds on WSUS 3.0 SP2Only the top site synchronizes with Windows Updates on the internetEach site can have one active SUP

Microsoft Confidential43Software Update ManagementThe Software Update Management feature of Configuration Manager provides administrators with the tools and resources that can help track and apply software updates to clients throughout the enterprise.

It builds on WSUS 3.0 SP2. Configuration Manager does not install WSUS, you need to install it yourself. . After that you need to deploy the Software Updates Point Role (SUP) to the WSUS server.

SUP Role placementEach site can have multiple Software Update Points installed, however only one can be active. Multiple SUPs are allowed in case you decide to use Network Load Balancing (NLB) cluster to accommodate more than 25,000 clients in a site.

SynchronizationOnly the top site synchronizes with the Windows Update on the internet. In a standalone configuration, this will be the Primary site and CAS in the hierarchy.The Software Update Points at child sites will synchronize with the SUP at the parent site. 2012 Microsoft Corporation43Software Updates ManagementMain features:Superseded update supportSUM admin role (with RBA)Client agent settingsSoftware update groupsAutomated deploymentsEnd user experienceContent library and cleanupMigration from Configuration Manager 2007 Maintenance windowsSelective download of binariesWake On LANInternet-based client support

Microsoft Confidential44Software Updates Management Main Features:Superseded update supportExpired updates cannot be deployed, however now you can specify a period of time after which the superseded updates will expire. This allows you to deploy superseded updates.SUM admin role (with RBA)The Software Update Manager security role allows administrative users to define and deploy software updates.Administrative users who are associated with this role can create collections, software update groups, deployments, templates, and enable software updates for Network Access Protection.Client agent settingsYou can configure which users can initiate the installation of Software Updates.Choose between: All Users, Only Administrators, Only Administrators and primary users, No UsersSoftware update groupsSoftware Update Groups replace Update Lists in Configuration Manager 2007They are used to effectively manage and organize Software Updates.Software Updates can be added automatically or manually.You can also deploy a software update group manually or automatically by using an automatic deployment rule.Automated deploymentsAutomatic Deployment Rules allow you to automatically approve and deploy software updates based on criteria you provide.End user experienceConfiguration Manager provides users with more control over Software updates installation time.Users can control the installation time from Software Center application.

2012 Microsoft Corporation44New Text-Only Slide (Hidden)Microsoft Confidential45Content library and cleanupSoftware updates are stored in the content Library with all the other content files (applications, OS images, drivers, ...)Expired and superseded updates can be automatically removed:Expired software updates that are not associated with a deployment are automatically removed every 7 days by a site maintenance task.Expired software updates that are associated with a deployment are not automatically removed by the site maintenance task.Superseded software updates that you have configured not to expire for a specified period of time are not removed or deleted by the site maintenance task.Migration from Configuration Manager 2007If you are migrating from an existing Configuration Manager 2007 hierarchy, you can migrate software update objects such as update lists, deployments, deployment packages, and deployment templates.Maintenance windowsMaintenance windows are fully obeyed in Software Updates deployment.Selective download of binariesClients only download the missing updates, not the entire package.WOLWake on LAN technology can be used to deploy software updates to clients that are in sleep mode.Internet-based client supportWhen Internet-based client receives a software update deployment, it will first try to download the update from Microsoft Update and only if this is not successful the update will be copied from the internet facing distribution points.

You can read more at: http://technet.microsoft.com/en-us/library/gg682168.aspx

2012 Microsoft Corporation45Operating System Deployment (OSD)Provides administrators with the tools for creating OS images and deploy them to managed or unmanaged computersDeployment can be done using bootable media (USB, CD, DVD) or PXE network bootUses Windows Imaging Format (WIM) files that contain the OSOperating system deployment provides the following functionality:Operating system image capture/deploymentUser state migration by using the User State Migration ToolOperating system image deploymentTask sequences provide the mechanism for performing multiple steps or tasks on a computer at the command-line level without requiring user intervention46The Operating System Deployment (OSD) feature of Configuration Manager provides administrators with tools for creating Operating System images. Those images can be deployed to managed (existing) or unmanaged (new) computers.

Image deployment and formatThe images can be deployed using:Bootable media (USB, DVD) - You can create this media from the console.PXE network boot - This feature requires that you install a PXE Role to an existing Windows Deployment Server (WDS) computer.

OSD uses Windows Imaging Format (WIM) files that contain the OS images. One WIM file can contain more than one OS image.You can create the OS images using Configuration Manager Task Sequences or capture them manually using the ImageX utility.

OSD FunctionalityOSD feature provides administrators with the following functionality:Automated OS Image Build and capture using a simple wizardUser profiles and documents migration by using the User State Migration tool (USMT)OS Image deployment to existing or new computersTask Sequences provide the mechanism for performing multiple tasks without user intervention. Task sequences can be used for OS deployment as well as Application or Package deployment. They run in System account.

More information at: http://technet.microsoft.com/en-us/library/gg682108.aspx 2012 Microsoft Corporation46Operating System Deployment (continued)Apply Windows Update by using Component-Based Servicing (CBS) to update the WIM file rather than recreating itUse of same Task Sequence to deploy OS to computers anywhere in the hierarchyCapture/Restore User State supports new features from USMT 4.0CMTrace is now added to all boot imagesTS media wizard can be suppressed during OS installation when using media

47Component-Based Servicing You can apply Windows Updates by using Component-Based Servicing (CBS) to update the Windows Imaging Format (WIM) files that are stored in the Image node of the Software Library workspace.More information at: http://technet.microsoft.com/en-us/library/dd349164

Task Sequence media You can use the same task sequence media to deploy operating systems to computers anywhere in the hierarchy.It is no longer tied to the site where it was created.More information at: http://technet.microsoft.com/en-us/library/hh397285.aspx

USMT 4.0The Capture User State task sequence action and the Restore User State task sequence steps support new features from the User State Migration Tool (USMT) version 4.0For example:Hard-LinkingUsing Volume Shadow Service (VSS)Skipping EFS encrypted filesContinuing if some files cannot be capturedCapturing offline (in WinPE)More information at: http://technet.microsoft.com/en-us/library/hh397289.aspx

Log viewerCMTrace, the Configuration Manager log viewer tool, is added to all boot images that are added to the Software Library.

TS Media WizardWhen you create media that deploys an operating system, you can configure the Task Sequence Media Wizard to suppress the Task Sequence wizard during operating system installation. This configuration enables you to deploy operating systems without end-user intervention. 2012 Microsoft Corporation47Endpoint ProtectionEndpoint Protection in Configuration ManagerSystem Center 2012 Endpoint Protection is integrated with Configuration ManagerConfigured as a Configuration Manager Role

Capabilities of Endpoint ProtectionConfigure antimalware policies and Windows Firewall settingsUse Software Updates to download the latest antimalware definition files to keep clients up-to-dateStay updated on client status via email notifications, in-console monitoring, and reports

Endpoint Protection clientInstalls in addition to Configuration Manager clientMalware and Spyware detection and remediationRootkit detection and remediationCritical vulnerability assessment and automatic definition and engine updatesNetwork vulnerability detection via Network Inspection SystemIntegration with Microsoft Active Protection ServicesMicrosoft Confidential48Endpoint Protection IntegrationIn System Center 2012 the Endpoint Protection is now fully integrated with Configuration Manager.There is no need to run a separate setup or a separate database requirement. Instead, Endpoint Protection is installed as a site system role.Endpoint Protection client is enabled in Client Agent settings. It is driven by policy and does not depend on packages or programs.There are two default policies: Antimalware and Firewall.Configuration Manager Software Updates Auto Deployment rules can be used to automatically deploy new definitions.Endpoint Protection also integrates with the Configuration Manager Monitoring. This enables you to get client status, updates in console, reports and email notifications. All of this is done through high priority State Messages sent by the clients.Endpoint Protection client is deployed from the Configuration Manager console, but separately from the Configuration Manager clients. SCEPInstall.exe is pre-staged on the clients as part of the CCMSetup.

CapabilitiesThe Endpoint Protection client has the following capabilities:Malware and Spyware detection and remediationRootkit detection and remediationCritical vulnerability assessment and automatic definition and engine updatesNetwork vulnerability detection via Network Inspection SystemIntegration with Microsoft Active Protection Services to report malware to MicrosoftAdministrators can be assigned special Endpoint Protection Manager security role to provide them the minimum required permissions to manage Endpoint Protection

You can read more on TechNet: http://technet.microsoft.com/en-us/library/hh508760.aspx 2012 Microsoft Corporation48ReportingReporting helps you gather, organize and present information about users, hardware and software inventory, software updates, applications, site status, and other Configuration Manager operations in your organizationOver 400 predefined reportsRequires: SQL Server Reporting Services (SSRS)Reporting Services Point installed on SSRSThe classic Reporting Point has been removed49Reporting featureReporting is one of the main features of Configuration Manager.It helps administrators to organize and present information gathered by other features (AI, HW and SW Inventory, Status messages, etc...)You can use one of over 400 predefined reports or create your own using the Reporting Services Report Builder tool.Users with appropriate permissions can use report subscriptions to have the reports automatically delivered on a schedule.

RequirementsReporting in Configuration Manager requires that a Reporting Services Point is installed on a SQL Reporting Services server.The old Reporting Point from previous versions has been deprecated.

Find out more at: http://technet.microsoft.com/en-us/library/gg682105.aspx 2012 Microsoft Corporation49Compliance SettingsDCM is now called Compliance SettingsCompliance settings contains tools to help you to assess the compliance of users and client devices with regard to a number of configurationsCompliance Settings objects:Configuration ItemsConfiguration BaselinesAssign Configuration Baselines to CollectionsAutomatic remediation for some settingsUse Configuration Manager Monitoring features

50Compliance Settings lets you assess and manage the configuration and compliance of your devices.

Configuration ItemsTo assess compliance you first need to create one or more Configuration Items. Those Configuration Items contain the rules and values that you want to check on your devices.

You can check for the following setting types:Active Directory queryAssemblyFile SystemIIS MetabaseRegistry key or valueScriptSQL or WQL queryXPath query

Configuration Baselines and auto-remediationConfiguration Items are joined together into Configuration Baselines, which are assigned to Collections.Configuration Item settings of the type WMI, registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found.You can import, export and duplicate Configuration Items and Baselines.

More information on TechNet: http://technet.microsoft.com/en-us/library/gg682139.aspx

2012 Microsoft Corporation50Internet-Based Clients Management (IBCM)Internet-based client management lets you manage Configuration Manager clients when they are not connected to your corporate network but have a standard Internet connectionClients and Site Servers used for IBCM must use PKISome features are not supportedInternet-based clients on the Internet first try to download any required software updates from Microsoft Update

51Internet-Based Client Management feature allows you to perform limited management functions on Configuration Manager clients that are connected to the internet.

ICBM RequirementsBecause ICBM requires some parts of your Configuration Manager infrastructure to be accessible from the Internet, this feature requires PKI infrastructure to be in place. All internet facing site systems must use HTTPS communication mode.

Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

Unsupported featuresBecause not all client functionality is appropriate for the Internet, some features are not supported:Client deploymentAuto-site assignmentNetwork Access ProtectionWake on LANOS deployment (Generic task sequences are supported)Remote ControlOut of Band ManagementSoftware deployment to Users (unless AD authentication using Kerberos or NTLM can be performed).No Roaming

More information at: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients 2012 Microsoft Corporation51Mobile Device ManagementYou can deploy Configuration Manager clients on supported mobile devicesClient installation requires PKI certificates on the mobile devicesWith installed Configuration Manager client you can manage:Hardware inventorySoftware installationSettings

Supported OS:Windows Mobile 6.1, 6.5Nokia Symbian Belle (SR1)Supported Legacy Client OS:Windows Mobile 6.0Windows CE 5.0, 6.0, 7.052Configuration Manager Mobile Device Management feature allows you to Enroll devices to Configuration Manager.

Client enrollmentEnrolling clients allows you to perform the most management functionality:It requires PKI security between the Configuration Manager and mobile device.Install Configuration Manager client can be performed by the user from web browser on the device.Support over the InternetHW inventoryManage settings through Mobile Device Configuration Items and BaselinesDeploy Applications (install or uninstall). Packages and updates are not supported.Block the device from Configuration ManagerRemote wipe

Supported OSSupported device Operating System for Enrollment:Windows Mobile 6.1Windows Mobile 6.5Nokia Symbian Belle (SR1)

Legacy Client With Legacy client you can manage Install Configuration Manager client can be performed by the administrator deploying a package and program.Support over the InternetHW inventorySW inventory of installed applications cannot inventory files.Deploy Packages. Applications and updates are not supported.Block the device from Configuration Manager

Legacy Client supports the following OS:Windows CE 5.0Windows CE 6.0Windows CE 7.0Windows Mobile 6.0

More information at: http://technet.microsoft.com/en-us/library/gg682077.aspxhttp://technet.microsoft.com/en-us/library/gg682022.aspx 2012 Microsoft Corporation52Mobile Device Management (continued)For devices with no client you can use the Configuration Manager Exchange Connector for light managementExchange Connector :Retrieve limited inventory informationDefine settings (limited to Exchange ActiveSync policies)Issue wipe commandsBlock the device from Exchange ServerSupported Exchange Server versions:Exchange Server 2010 SP1Exchange Online

53Exchange Server ConnectorDevices that do not support client installation can still be partially managed through the Exchange Server connector.This allows you to:Manage your devices over the InternetPerform limited HW inventoryManage settings (limited to the Exchange ActiveSync policies)Remote wipe the deviceBlock the device from Exchange ServerEnrolled devices can be managed through the Exchange Connector at the same time.

Exchange server versionsSupported Exchange Server versions:Exchange Server 2010 SP1Exchange Online 2012 Microsoft Corporation53Backup and RecoveryBackup TaskGenerally the same tasks from Configuration Manager 2007Maintenance Task location differs in Configuration ManagerScheduling, SmsBkup.ctl file and AfterBackup.bat remain the same

RecoveryRecovery from the install media / Setup WizardGranular level of recoveryLeverage SQL Server Replication54BackupSchedulingConsider a backup schedule that is outside of working hoursIn a hierarchy, consider schedules that run at least twice a week to ensure maximum data retention in the event of site failureTiming IssuesWhen setting up the backup task locally from the console, the Backup maintenance task will use the local time of the Configuration Manager site serverWhen setting up the backup task remotely from a remote console, the Backup maintenance task will use UTC

SmsBkup.ctlDefines the content location of files to be backed upYou can additionally define specific files and folders to be backed up as part of the Configuration Manager backup taskAfterBackup.batAn additional batch file you can create to run subsequent the Configuration Manager backup taskThe Backup task will look to see if the file existsIf Yes, the batch file will runIf No, the backup task will completeAfterBackup.bat is often used to maintain generational backup files since each time the backup maintenance task runs; it will overwrite the existing data with the new backup data.

2012 Microsoft Corporation54New Text-Only Slide (Hidden)Microsoft Confidential55RecoverySite Recovery is done by one of two ways:Recovering a site from the backup dataReinstalling the siteSite Recovery in Configuration Manager is initiated from the Configuration Manager SetupRecover the site server using an existing backup: Use this option when you have a backup of the Configuration Manager site server that was created on the site server as part of the Backup Site Server maintenance task before the site failure. The site will be reinstalled and the site settings configured based on the site that was backed up.Reinstall the site server: Use this option when you do not have a backup of the site server. The site server is reinstalled and you must specify the site settings, just as you would during an initial installation. You must use the same site code and site database name that you used when the failed site was initially installed to successfully recover the site. Part of the recovery process allows you an option to recover the Site database in several manners:By recovering the site database using the backup files created by the backup taskBy creating a new database, where the database will replicate data from:The CAS (when recovering a Primary Site)The reference Primary Site (when recovering the CAS)You also have the option to use a database that has been manually recovered. This means the database is already recovered, but you still need to conduct the rest of the recovery processSQL Server Change Tracking:Change tracking lets Configuration Manager query for information about the changes that have been made to database tables after a previous point in time. Change Retention Period is 5 days and cannot be changed. If the SQL Server backup data you recover is within the Retention Period, the database will commit any changes that have taken place as part of the backup process. Otherwise, the database is reinitialized.More at: http://technet.microsoft.com/en-us/library/gg712697.aspx

2012 Microsoft Corporation55Migrating from Configuration Manager 2007No upgrade to Configuration ManagerMigration functionality is built into the Configuration Manager Administration ConsoleUse migration jobs to configure the specific data that you want to migrate and manage the migration of this data56

No Upgrade OptionSystem Center 2012 Configuration Manager has introduced several major changes in the product from Configuration Manager 2007. Those changes prevent an in-place upgrade from being performed. For example, Configuration Manager is now a 64 bit application with a database optimized for Unicode and that is shared between all sites. Site types and relationships have also changed.While there is no in-place upgrade, you can still maintain your investment in Configuration Manager 2007 by migrating to Configuration Manager.

Migration functionality is built into the consoleMigration functionality can be found under the Administration workspace in the Configuration Manager console.

Migration jobsMigration Jobs allow you to configure specific data to be migrated.Migration jobs run at the CAS or stand-alone Primary site.One or more migration jobs can be configured per source site.You can only migrate data from the site where the object was created.

Migration Job TypesConfiguration Manager supports three migration job types:Collection migration - migrates all objects that are related to a selected collection.Object migration - migrates specific individual objects that you select.Previously migrated object migration migrates objects in the source hierarchy that were previously migrated but that have since been updated in the source hierarchy

More information at: http://technet.microsoft.com/en-us/library/gg682006.aspx

2012 Microsoft Corporation56Other featuresNetwork Access Protection (NAP)Application Virtualization (App-V)Power Management57Network Access Protection (NAP)Configuration Manager Network Access Protection lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server. The Network Policy Server then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation.More about NAP: http://technet.microsoft.com/en-us/network/bb545879.aspx

Application Virtualization (App-V)Application Virtualization is now just another Application deployment type.

Power ManagementPower Management feature allows you to monitor and manage power consumption of client computers. It uses the built-in power management features of Windows Operating System.You can apply different power settings to computers during business hours and nonbusiness hours.Power options are configured in Client settings.Power management in Configuration Manager includes several reports to help you analyze power consumption and computer power settings More about Power Management: http://technet.microsoft.com/en-us/library/gg682043.aspx 2012 Microsoft Corporation57Configuration Manager Workshops58TitleModulesConfiguration Manager Concepts & Admin workshop

Introduction to Configuration ManagerDeploying Configuration ManagerConfiguring Discovery and Deploying ClientsInventory, Asset Intelligence, Software Metering, and Remote ControlMigrating from Configuration Manager 2007 to 2012 OverviewConfiguration Manager Console Security

Collections and QueriesDeploying ApplicationsDeploying Software Updates

Client Status monitoringBackup and Recovery (Optional)System Center 2012 Configuration Manager: Concept & Admin workshop Modules:Basic Workshop (4 days)Introduction to Configuration Manager 2012Every feature gets a mention Backup and Recovery overviewWhats changed content that can be removed later when it may no longer be pertinentList of available workshopsNo labDeploying Configuration Manager 2012Overview of site deployment and site systemsUnattended installation overview and best practices Video demo, no labConfiguring Configuration Manager 2012 Discovery and Deploying ClientsDiscoveryClient DeploymentLabInventory, Asset Intelligence, Software Metering, and Remote Control in Configuration Manager 2012Slides and lab for above featuresMigrating from Configuration Manager 2007 to 2012 OverviewOverview only. Detailed content reserved for Migration and Application Management workshop. Possible recorded demo.

2012 Microsoft Corporation58New Text-Only Slide (Hidden)Microsoft Confidential59Configuration Manager 2012 Console SecuritySlides and labCollections and Queries in Configuration Manager 2012Defining collections and queriesCollection-specific client agent policyMaintenance Window overviewNo labDeploying Applications in Configuration Manager 2012High level overview of legacy software distributionIntroduction to Application Deployment (App Model) (Note: Application Deployment content will be covered more in-depth in the Advanced workshop and at an advanced, detailed level in the Migration and Application Management workshop)LabDeploying Software Updates in Configuration Manager 2012Overview of FEPSlides and labClient Health in Configuration Manager 2012Overview of Client Health features built-in to CM 2012Mention of Client Health serviceLabBackup and Recovery (Optional) No lab

2012 Microsoft Corporation59Configuration Manager Workshops60TitleModulesConfiguration Manager Advanced workshopConfiguration Manager Deployment and ArchitectureCompliance SettingsAdvanced Scenarios for Deploying ApplicationsCustomizing Software Updates Monitoring Site and Client HealthTroubleshooting and Site RecoveryThe System Center 2012 Configuration Manager: Concepts and Administration Advanced

This workshop is the build on the information from the Introduction workshop. It goes deeper into some basic features and introduces features not covered by the previous workshop.

Workshop duration: 3 days

Configuration Manager Deployment and Architecture Site roles and deploying servers Site systemsArchitectural considerationsSitesSite systems, and DPs for content location (advanced detail in Module 3)Site-to-site communication Secure client-site communication (certificate-based) overview List of available workshops for additional informationSlides (with appendix) and labCompliance Settings in Configuration Manager Configuration Items (CIs)Configuration Baselines Compliance Reporting and AlertsRemediationTroubleshootingAuthoring overviewSlides (with appendix)and labAdvanced Scenarios for Deploying Applications in Configuration Manager App model conceptsDeployment typesSoftware Center and catalogComplex application management scenariosGlobal conditionsSupersedenceUninstallUser device affinity 2012 Microsoft Corporation60New Text-Only Slide (Hidden)Microsoft Confidential61Advanced content location (complex roaming scenarios) Self-healing distribution points App-VTroubleshootingSlides (with appendix) and LabNot in scope (except as brief mention): Package Conversion Manager and app migration from ConfigMgr 2007 (covered in Migration workshop).Customizing Software Updates Distribution in Configuration Manager SCUP SUPs on NLBbrief overviewFEP brief overviewTroubleshooting Slides (all content (with appendix)) and lab on SCUPNot in scope: Microsoft software updates distribution (covered in Part 1); FEP (except as brief overview (covered in FEP workshop)Monitoring Site and Client Health in Configuration Manager Site monitoringSite alerts and dashboardsClient health reporting (including customized reports/collections/criteria)Client health remediation strategiesMaintenance task settings Slides (with appendix) and lab Troubleshooting and Site Recovery in Configuration Manager (Day 3: 3 hours)Process flows including components and their logsNew ConfigMgr 2012 data replication modelToolsBackup and site repair (included in setup)Slides (with appendix) and lab

2012 Microsoft Corporation61Configuration Manager Workshops62TitleModulesConfiguration Manager Migration and Application WorkshopNew features and changesDesign and rolesPreparing for migrationMigrationApplication ManagementLarge migration scenarioThe System Center 2012 Configuration Manage: Migration and Application Workshop covers the process of migrating your existing Configuration Manager 2007 infrastructure to Configuration Manager.This is a 3 day workshop.

New Features/Changes with demo - Hardware and software requirements- Feature overview- Install process overview- Configuration Manager console demoDesign and roles- New Flat hierarchy - Roles change - Discovery - Security roles- Site communications - Scenarios (with open discussion) Preparing for migration - What is migrated and what is not.... - What do you have to do at your Configuration Manager 2007 environment to have a smooth migration - .Net Framework 4.0 at all the clients - Start using BranchCache (LAB) - use shares as source files for Packages (Lab with possible ways/Tools to change it) - start use SQL Reporting Services to migrate reports-Configuration Manager Site Deployment - 64Bits OS Sites (P2V possibilities) (LAB to show how the tools work) 2012 Microsoft Corporation62New Text-Only Slide (Hidden)Microsoft Confidential63Migration- Setting Security roles - Migration tool - Boundaries - Packages - Shared DPs- Software updates - OSD - DCM - Migration of Old packages/adv to the new App Model tool - Client Migration and Assign - Decomission Old Configuration Manager 2007 Application Management- User centric approach- Classic package deployment model- Application Deployment model- Deployment types (MSI, app-v, Windows Mobile Cabinet, etc)- Applicability Rules- Dependencies- Supercedence- Deploying content- Monitoring deployments- Monitoring distribution status- Alerting- Software CenterBig Migration Scenario without solution 2012 Microsoft Corporation63Configuration Manager Workshops64TitleFeatureConfiguration Manager Operating System DeploymentOverivew, Concepts, and ArchitectureWindows PEPXE and MulticastOSD Boot Scenarios Image CapturePXE and MulticastTask SequencesDriver Management USMTDeploymentsOffline Image ManagementTroubleshooting and Advanced CustomizationMDT Integration 2012 Microsoft Corporation64Module ReviewWhat are some of the benefits of using System Center 2012 in your business?

What are some of the new features of the Configuration Management Console?

How can Configuration Manager help you with employees who are using multiple devices in a variety of locations?

Microsoft Confidential65 2012 Microsoft Corporation65Module Review (answers)What are some of the benefits of using System Center 2012 in your business?

What are some of the new features of the Configuration Management Console?

How can Configuration Manager help you with employees who are using multiple devices in a variety of locations?

Microsoft Confidential66What are some of the benefits of using System Center 2012 in your business?

As a member of the Microsoft System Center 2012 suite of management products, Microsoft System Center 2012 Configuration Manager increases IT productivity and efficiency by reducing manual tasks and enabling companies to focus on high-value projects, maximize hardware and software investments, and empower end-user productivity by providing the right software at the right time.

Configuration Manager helps provide effective IT services, by enabling secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices.

What are some of the new features of the Configuration Management Console?The System Center UIWorkspaces and Ribbon SearchProvider

How can Configuration Manager help you with employees who are using multiple devices in a variety of locations?Application ModelIn Configuration Manager 2007, we used to deploy packages. Those were seldom anything more than installation scripts that were targeted to devices. If a Package was targeted to a user, we did not distinguish what device he is using at the moment. This has changed with the new Application model.

Types, Rules and Affinity:Each Application can have multiple Deployment types and Requirement Rules.Deployment type contains files and commands necessary to install the software. An Application can contain multiple deployment types (local installation, virtual application, mobile device version, ...)Requirement Rules define conditions that specify how an application is deployed to the clients. You can specify that under certain conditions an application will not be installed, but instead a virtual application will be deployed.User Device Affinity allows administrators (or users) to associate a User with a specific device. This allows us to target software to users rather than devices. For example, we would perform a local installation on the users primary device and only as a virtual application if the user is logged on to a different computer.

Application Catalog Application Catalog is a self-service application website, which allows users browse for and request software or wipe their mobile device.It requires Application Catalog role to be installed.

Software Center Software Center is a new client program that allows users to:Browse for and install software from the Application Catalog.View their software request history.Configure when Configuration Manager can install software on their devices.Configure access settings for remote control, if an administrative user enables remote control.It is automatically installed on client computers when you install the Configuration Manager Client and includes the Application Catalog link.

2012 Microsoft Corporation66Module SummaryIn this Lesson, you learned:About Configuration Manager featuresAbout additional Configuration Manager courses to broaden your knowledge

Microsoft Confidential67This module briefly introduced you to the main features of System Center 2012 Configuration Manager.The modules that follow in the next few days will provide more in-depth information about some of these features.67 2012 Microsoft Corporation Microsoft Confidential