I often get asked the following two questions:
- I know you blog but why don’t you blog about Configuration Manager as much as other topics?
- What are some good resources for learning about Configuration Manager?
The answers to these questions are definitely interrelated. Let me start with the first question:
First of all, although as an MVP I have an NDA with Microsoft that permits me to get some “inside information” from time to time. That same NDA forbids me from blogging about MS products until they are GA. Other bloggers don’t have the same restriction so they can write about new features and releases before the MVP community can. Secondly, and more importantly, there are already many very good blogs on Configuration Manger written by some very knowledgeable people (fellow MVPs in many cases) that know far more about specific parts of Configuration Manager than I do. With all of these fine writers already producing high quality content, it is difficult to add new, unique, and valuable posts.
In order to answer the second question I will act contrary to my answer to the first question and provide you with a list of t some of the resources that I use on a regular basis. I have limited the list to 10 by convention (otherwise it wouldn’t be a top 10 list would it?) – It was very difficult to choose. I apologize in advance to anybody that I may have omitted from the list. In an attempt to avoid any serious comparison algorithms and because I don’t have any hermetically sealed envelopes I have arranged the list in alphabetical order.
|1. Configuration Manager Team Blog||This is a great place to get news and information about the product. Things like announcements, latest cumulative updates, new features and capabilities can be found here as well as common scenarios and troubleshooting tips. All of this of course courtesy of Microsoft|
|2. CoreTech||Coretech has a lot of high profile bloggers including Kent Agerlund, and Kaido Järvemets. They do a lot of training and consulting and have seen a lot of real world use cases. As such their Configuration Manager Blog is a great resource.|
|3. Deployment Research||MVP Johan Arwidmark has done some extreme deployments. If you want deep dive and troubleshooting information about deployments including some unsupported workarounds (for your lab of course).|
|4. Enhansoft||Enhansoft is a company that focusses on asset management based on Configuration Manager. They have some free tools to help document Configuration Manager implementations. They also give out a free SSRS report every month. MVP Garth Jones, the founder of Enansoft also writes a blog for SMSUG.ca that has lots of sample reports and queries. I borrow from them often.|
|If you want detailed information about the inner workings of Configuration Manager, Jason Sandys (another MVP) is a fantastic resource. Not only does he understand the detail level, he can explain it in terms that are consumable by non-experts and help them understand the implications and applications. Many of his posts are linked from the Catapult Systems blog site. Not coincidentally Jason is one of the moderators of the Configuration Manager TechNet forums another great resource.|
|6. MyITForum||MyItForum is really a small community (with only 145,000 unique visitors per day). The resources are provided by the members of the community. There are tons of guides and some very good forums. MyItForum is famous for the running of the bulls at MMS to get passes to their famous party. Click here a link to a video about Community and MyITForum from MMS 2012 featuring Rod Trent is the President of MyITForum (and the Community Manager at WindowsItPro)|
|7. System Center User Group Belgium||Lots of good info here including blogs by MVPs Kenny Buntnix and Kim Oppalfens.|
|8. TechNet||TechNet has a lot of good resources including the official Microsoft Document Library for Configuration Manager, Release Notes, and Technical Publications.Configuration Manager TechNet forums is a great place for moderated support. There are other good resources as well such as ConfigMgrDogs.|
|9. WindowsItPro||WindowsItPro is a great resource for IT Pros in general but I like the independent view of the Microsoft world (including System Center) that they provide. As I’m writing this post and looking at their website, I see the System Center section their site framed by no less than six Amazon AWS ads. You won’t see that on the Configuration Manager Team Blog.|
|10. Windows-Noob.com||This is MVP Niall Brady’s blog. IT is a great place to get walkthroughs of every major feature of Configuration Manager. A good starting point for novices and a reference for veterans trying something new or troubleshooting. Although last on this list alphabetically, it should be the noob’s first place to go to check out the SCCM 2012 Guides.|
There are many other good blogs, blog aggregators, and knowledge bases out there. You could do pretty well with a good Google or Bing query for a specific topic. For better results, try some of Kim Oppalfens search providers to make it easier. These are just some that I use regularly and the first ten that came to mind. The selection process was by no means scientific and I was the only member of the selection committee. Full Disclosure – Yes, I do know most of the bloggers but that’s life.
If you have a good source you’d like to share, let me know. Maybe I’ll make a Top 40 list. Again apologies to any good resources that I failed to mention.
I recently had to rebuild my Windows 8.1 laptop. In fact, this is the first real piece of work that I am doing on it while I reinstall apps in the background. As part of the process I had to re-install Microsoft Office. As long as I have been using a 64bit OS as my standard desktop (Windows 7 was the first OS that I only ran as x64)) as I have always used the 64bit version of Office. When downloading the ISO for Office 2013 SP1 from the MS Partner site, I noticed that Microsoft has posted the following message:
Important: Microsoft strongly recommends the use of 32-bit (x86) versions of Office 2013, Project 2013, and Visio 2013 applications as the default option for all platforms. Learn more about the deployment considerations for x64 and x86 at TechNet.
I consider myself somewhat of a technically savvy user (maybe a poor assumption?) and I have always assumed that all things being equal 64bit is better than 32bit. Just like 32bit is better than 16bit (and 16bit is better than 8bit etc.)
So Off I went to TechNet to find out why this strong recommendation from Microsoft. Considering how hard it has been to get users and enterprises to give up Windows XP, you’d think that they want everyone to upgrade to the latest generation of tools right?
Here is the key reason for the strong recommendation directly from TechNet:
32-bit Office is recommended for most users
We recommend the 32-bit version of Office, because it is more compatible with most other applications, especially third-party add-ins. This is why the 32-bit version of Office 2013 is installed by default, even on 64-bit Windows operating systems. On these systems, the 32-bit Office client is supported as a Windows-32-on-Windows-64 (WOW64) installation. WOW64 is the x86 emulator that enables 32-bit Windows-based applications to run seamlessly on 64-bit Windows systems. This lets users continue to use existing Microsoft ActiveX Controls and COM add-ins with 32-bit Office.
So what about my assumption that all things being equal x64 is better than x86? Well, I wasn’t wrong but it turns out that all things aren’t equal. Third party vendors don’t pay equal attention to 32bit office and 64bit office. There are other good reasons to consider Office x86 such as:
- The 64-bit version of Microsoft Office isn’t compatible with any other 32-bit version of Office programs. So you must first uninstall all 32-bit versions of Office programs before you install the 64-bit version of Office.
- Any add-ins you want to run for Office must also be 64-bit editions.
- Third-party ActiveX controls and add-ins. None of these work with the 64-bit version of Office.
- There is no 64-bit version of Visual Basic 6, so many of these objects need to be ported and rewritten.
- Microsoft Visual Basic for Applications (VBA) won’t work unless you manually update the “Declare” statements.
- Compiled Access databases The .MDE and .ACCDE files, a common way for Access application developers to distribute solutions and protect their intellectually property, don’t work in the 64-bit version of Office. You must contact the application developer to recompile, retest, and redistribute the solution in the 64-bit version.
With all of the reasons not to use 64bit Office, why on earth would anyone chose to use it? It still makes sense for some users such as the following examples from TechNet:
- Excel expert users who work with complex Excel worksheets can benefit from using 64-bit Office 2013. This is because 64-bit Office doesn’t impose hard limits on file size. Instead, workbook size is limited only by available memory and system resources. On the other hand, 32-bit Office is limited to 2 gigabytes (GB) of virtual address space, shared by Excel, the workbook, and add-ins that run in the same process. (Worksheets smaller than 2 GB on disk might still contain enough data to occupy 2 GB or more of addressable memory.) You can learn more in Excel specifications and limits and Data Model specifications and limits.
- Users who use Project 2013 also benefit when they use Project files over 2 GB, especially when they are dealing with many subprojects to a large project.
- In-house Office solution developers should have access to the 64-bit Office 2013 for testing and updating these solutions.
- Office 2013 offers enhanced default security protections through Hardware Data Execution Prevention (DEP). (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. For 64-bit installs, DEP will always be enforced for Office applications. On 32-bit installs, you can configure DEP by using Group Policy settings.
If you need to deploy both versions of Office with Configuration Manager, you can use the same application with different deployment types as I’ve explained in my previous post Managing 32 bit and 64 bit versions of applications using Global Conditions, Requirement Rules and Deployment Types.
BTW – I’m running 32bit Office now.
Configuration Manager is a constantly evolving and improving product. Distribution Points (DPs) in Configuration Manager have advanced quite a bit since SCCM 2007. Configuration Manager 2012 introduced bandwidth scheduling and throttling to the DP role. A feature previously limited to secondary sites. For many organizations, secondary sites are no longer required. The new Distribution Point functionality is sufficient to replace many secondary site use cases.
TechNet does a fantastic job of educating IT Pros on what the new features are and how to configure them. What I’m going to attempt to do in this post is help identify the some use case scenarios where they make sense.
Let’s start with a high level review of the different types of Distribution Points (DPs).
Distribution Point Concepts
Distribution Points (DPs) provide content (applications, software updates, etc.) to clients. Boundary groups (groups of boundaries containing AD site info or IP subnet, IP range, IPv6 prefix) are assigned to DPs to help clients locate preferred DPs. A DP can optionally be configured as a fallback content point so that clients that cannot retrieve content from a preferred content point can access it from the fallback location. For a client to successfully retrieve content, it must be in a boundary associated with a boundary group on a preferred or fallback DP.
Standard Distribution Point
A standard Distribution Point is used to serve content to clients. There is a limit of 250 DPs per site (and secondary site).
Pull Distribution Point
A Pull DP is very similar to a Standard DP except that is gets its content from another DP (known as a source DP). This minimizes the load on the site server since the Pull DP manages its own content transfer in much the same way that a Configuration Manager client would. There is limit of 2000 Pull DPs per site (and secondary site)
PXE & Multicast Distribution Points
DPs can be configured to respond to PXE requests and send multicast streams as part of OSD scenarios. In order to support these features, WDS must be installed ad enabled on the distribution points. Both Standard DPs and Pull DPs support PXE and Multicast.
Cloud Distribution Point
A Cloud DP is an Azure hosted distribution point that can be rapidly scaled up or down to meet changing requirements.
IT has many of the advantages of other cloud based IaaS offerings. Cloud DPs do not support OSD or SUS since they do not support PXE or software update packages. There are other limitations as well. For more information on Cloud DPs check TechNet.
Use Case Scenarios
|DP Type||Sample Use Case|
|Standard DP||Standard DPs make sense anywhere that there are large numbers of clients to serve. Although there is no clear line in the sand, it’s fairly easy to make the case for a DP at a location with more than 50 clients.|
|Pull DP||Augment the number of DPs beyond 250 per site (up to 2250) and or minimize the content distribution load on the site server(s).|
|PXE & Multicast DP||Support for OSD. Example Migration from Windows XP to Windows 7 , 8, 8.1, etc.|
|Cloud DP||Support for elastic operations such as a temporarily large distribution to clients. Example, rollout of a new CRM tool.|
Depending on the complexity of your environment you may need to mix and match DPs to meet your specific requirements. Of course, all of these scenarios can be made more efficient by incorporating BranchCache support on clients. For more information on how to use BranchCache to optimize software distribution while minimizing infrastructure components see my post on CanITPro.
While Windows 8.1 and Windows Server 2012 R2 was released earlier this month, when nobody was looking, System Center 2012 Configuration Manager R2 came out. Did anybody notice? Aside from support for Windows 8.1 and Windows Server 2012 R2, there are a quite a few new features. I understand that many organizations typically wait before deploying new versions of products but what’s in store for those who are ready to install if only for evaluation purposes? Here are the features that I’m most interested in exploring:
Profiles. Profiles, Profiles
A raft of new profile types can be managed including Remote Connection profiles, VPN profiles, Wi-Fi profiles, and Certificate profiles. This can really simplify the management of some complex settings across devices.
Reassign clients to another site in the hierarchy. This will primarily be useful for large organizations with a CAS.
Many new features and enhancements including user self-enrollment for Android and iOS using the company portal app. Another neat new feature that I’m excited about is support for personal and corporate owned devices. This feature will be useful in lifecycle management and BYOD scenarios where a selective wipe makes more sense when a device is lost. There are also some new compliance settings specifically targeted at mobile devices.
Software Distribution and Application Management
There’s a new Deployment Type for web based applications. This is really just a way to manage links to web based applications but it does help to simplify and centralize all software deployments. There are also some new features that are intended to help manage scenarios that include Windows Store Apps and the company portal.
There are some enhancements to ADRs as well as a new type of maintenance window specifically for Software Updates. I can see this being very useful for organizations that need to manage software updates on a different schedule that normal application deployments.
Check out fellow MVP Kent Agerlund’s TechEd New Zealand’s presentation for some demos of some of the changes. For a full list of the changes and additions in Configuration Manager 2012 R2 check TechNet
I’m not a licensing expert and I don’t play one on TV but it occurs to me that many organizations are paying twice for their endpoint protection solutions. I have been involved in over two dozen System Center 2012 Configuration Manager deployments and only one of the organizations was even mildly interested in System Center Endpoint Protection. My understanding is that the System Center Endpoint Protection (SCEP) CAL is included in the System Center 2012 Configuration Manager CAL. So at least from a licensing perspective if you already have Configuration Manager, you have SCEP. So why are organizations paying Symantec, McAfee, Trend, or some other endpoint protection vendor in addition to Microsoft? I understand that SCEP may not fit the bill for some organizations and that they may have specific requirements that need to be addressed by their chosen solution but doesn’t it make sense to at least evaluate the SCEP option – especially if you have already paid for it? What are some of the possible reasons that SCEP is flying under the radar of most organizations?
- Microsoft isn’t in the Gartner Magic Quadrant, they are in the Challenger’s quadrant.
- There have been very few independent reviews of SCEP apart from one pseudo review since it really isn’t a stand-alone product but part of a suite.
- Microsoft isn’t really pushing the solution since there is no financial upside (the product is already sold, just not deployed).
- Organizations are complacent and don’t have the time or desire to make a change.
What are some of the reason’s that an organization might want to try out SCEP?
- Save money! The license is already owned as part of Configuration Manager. Why continue to pay another provider until you’ve at least evaluated it for your particular use cases?
- Minimize infrastructure and administrative overhead. Configuration Manager already has the infrastructure for managing client configurations and moving software and updates to them as part of software distribution and patch management solutions. This is essentially the same managing endpoint policies and distributing malware signature files. Why maintain a duplicate infrastructure for third party endpoint clients and signature files and train administrators on multiple products?
- Unified security posture visibility. When you need to understand your complete desktop security posture, do you want to get one report from your endpoint solution and another form your patch management solution to and try to correlate the data to understand your actual security posture? Wouldn’t you rather have a single repository for all of the relevant data and be able to create a unified report? What about integrating endpoint protection policies with compliance management built in to Configuration Manager?
What are you waiting for? Start being SCEPtical. Turn on System Center Endpoint Protection!
I get a lot of questions about Microsoft’s mobile device management (MDM) strategy. It can be confusing because to achieve the full spectrum of management functionality, multiple Microsoft products are required:
- Exchange ActiveSync (EAS)
- System Center 2012 Configuration Manager
- Windows Intune
Can you do some MDM with only EAS? Of course. Can you do MDM with only Intune? Absolutely. So how do you explain this multi-product approach to MDM? Although not strictly true, the way I like to look at it is as a series of layers, with each layer adding additional functionality, and Configuration Manager bringing it all together.
|Exchange ActiveSync (EAS)||Configuration Manager||Intune|
Microsoft calls this approach Unified Device Management (UDM) since it goes beyond simply managing mobile devices. Using the MS approach all devices including servers, desktops, laptops, tablets, and mobile phones can be managed with the same tool set. Some might consider this too confusing and prefer a point solution with less moving parts, however, consider the following:
- Many organizations already have Configuration Manager in place
- Many organizations already have Exchange or hosted Exchange in place
- Using an incremental approach allows you to start small using the pieces you already have without purchasing new software and tailor the solution to your specific needs while controlling costs
Start with Exchange and Configuration Manager and add InTune when and where it makes sense.
I’m sure that most organizations perform some sort of backup of their System Center 2012 Configuration Manager (CM12) sites, however, how many of them have actually tested their backup?
Probably very few, as it can be very difficult to simulate a failure in production and perform a site recovery. Backups are good. Backups that you know you can actually restore from are better.
This post is intended to give the reader an understanding of the general case backup requirements of CM12, a sample backup strategy, and how to test the backup by simulating a failure and performing a restore of the database portion of the site. I typically walk my clients through this process before handing them the keys to their new CM12 environment.
The instructions provided here are based on System Center 2012 Configuration Manager SP1 and MS SQL Server 2012 SP1.
The Scheduled Backup Task
CM12 has a built in maintenance task call Backup Site Server. It performs synchronization between the database and the site control file and other key configuration elements of the Configuration manager site. Although a restore from a database backup is also supported in CM12, this post will only address using the Configuration Manager scheduled backup task as most administrators should be familiar with it.
As part of the site configuration, the maintenance task to perform a site backup should be configured to perform a daily backup stored in an easily accessible location. For the purposes of this post, let’s use E:\CM12_Backup
Figure 1 – Configure Backup Maintenance Task
The success of the backup task can be verified in the following ways:
- Review the timestamp on the SMSBKUP.LOG file that the Backup Site Server maintenance task created in the backup destination folder. Verify that the timestamp has been updated with a time that coincides with the time when the Backup Site Server maintenance task was last scheduled to run. Review the log files for errors.
- In the Component Status node in the Monitoring workspace, review the status messages for SMS_SITE_BACKUP. When site backup is completed successfully, you see message ID 5035, which indicates that the site backup was completed without any errors.
- When the Backup Site Server maintenance task is configured to create an alert if backup fails, you can check the Alerts node in the Monitoring workspace for backup failures.
- In <ConfigMgrInstallationFolder>\Logs, review Smsbkup.log for warnings and errors. When site backup is completed successfully, you see Backup completed with a timestamp and message ID STATMSG: ID=5035.
The backup files in E:\CM12_Backup should be moved to an archival media as per corporate standards. Multiple copies should be maintained in the event that one copy is corrupted or unavailable as it is preferable to restore from an older backup that to recreate the entire infrastructure manually if the latest backup is unavailable.
Additional Items to Backup
The Backup Site Server task is intended to backup key elements of the Configuration Manager site that require synchronization, or other special attention.
Items that are not backed up by the Backup Site Server maintenance task that should be considered for inclusion in any supplementary backup tasks are listed below:
- Any custom reports and extensions used to create them (models, views, tables, etc.)
- The content library stored in the <drive:>\SCCMContentLib folder
- Package source files
- User State Migration Data
To restore a Configuration Manager Site Server, follow these steps:
- Run the Configuration Manager Setup Wizard from installation media or a shared network folder. For example, you can start the Setup wizard by using the Install option when you insert the Configuration Manager DVD. Or, you can open Setup.exe from a shared network folder to start the Setup wizard.
- On the Getting Started page, select Recover a site, and then click Next.
- Complete the wizard by selecting the options that are appropriate for your site recovery
Once the site has been successfully recovered, the following tasks need to be performed:
- Re-enter the passwords for any accounts that are used by site systems (refer to the Configuration guide for a list of accounts – you have one right?)
- Reinstall and hotfixes or Cumulative Updates applied to the site since the initial build
- Restore the Content Library
- Restore the Package Source Files
- Restore the User State Migration Data
Partial Recovery – Database Only
The site recovery wizard will run the same prerequisite checks that a full install will perform. If a full rebuild of the server OS was not performed and only a database recovery is required, the restore process may fail on the detection of a dedicated SQL instance with the following error:
Dedicated SQL Server instance Failed
The same error may be encountered during a test of the restoration process due to remnants of the site in the registry that may indicate a previous installation.
To remedy this error, delete the following registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Operations Management\Components\SMS_SITE_SQL_BACKUP
The same issue may also arise when testing the DR process. The same resolution method can be used. I have created a batch file that I use to speed up this process. Here is the source for my DelKeys.bat file:
Performing a Database Only DR Test
As the base OS, SQL Server and, Configuration Manager Application software can all be rebuilt from generic source media, the most important part of a DR test is to verify that the site configuration and database can be restored as these items will be specific to your organization. The following method can be used to simulate a failure and restore.
- Create one or more objects (such as collections) and make some configuration changes (such as a boundary).
- Perform a site backup. To quickly start a site backup without modifying the backup schedule, use Service Manager to start the SMS_Site_Backup service.
- Once the backup has completed, delete the objects and configuration changes made in step 1
- Use the command PREINST.EXE /STOPSITE to stop all CM12 services. Browse to “\Program Files\Microsoft Configuration Manager\Bin\x640000409” to find the executable.
- Use SQL server Management Studio to Detach the site database
Figure 2 – Detach Configuration Manager Database
- Rename the <DB_Name>.MDF and <DB_Name>.LDF files which are found under \Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA
Delete the following three registry keys:
- HKLM\SOFTWARE\Microsoft\SMS\Operations Management\Components\SMS_SITE_SQL_BACKUP
- Perform the Site Recovery task and select restore database from backup.
- Browse to the location of the database backup.
- The site recovery details will be pre-populated.
- Browse to the location of the downloaded prerequisites from the initial installation process.
- The pre-requisite check will run and complete and then the installation will begin.
- Site and installation settings will be pre-populated as will the database information.
- Once the process is started it will appear as the original installation. Refer to the Server Build Guide for more details.
- Once the recovery is complete, verify that the objects and configuration items that you created in Step 1 are recovered.
- Remove the Test Objects and configuration items.
- Additional information about the restore can be found in the c:\ConfigMgrSetup.Log file
Now go test those backups.