Configuration Manager

Managing Windows 8.1 and the MS Surface in the Enterprise – Part 1: Who’s Minding the Store?

Posted on Updated on

Love it or hate it, but Windows 8.1 was intended to be both a desktop and “device” operating system. There have been many articles written about how well it succeeds or fails at one or both of those objectives. Regardless of how you feel about Windows 8.1, if you are tasked with managing it in you enterprise, you don’t need another rant / rave post. You need some guidance on how to manage some of the intricacies that Windows 8.1 and some device form factors like the Surface bring into play. That’s what this series of posts aims to do.

I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal.

As part of Microsoft’s attempt to create an OS that is appealing to tablet device users, Microsoft introduced the Windows Store. The Windows Store is Microsoft’s version of Google Play, Apples iTunes App Store, the Amazon Appstore for Android and many other sources for device based apps. The current incarnation of the Windows Store showcases Modern UI (formerly known as Metro) applications.

Like the other AppStores, the Windows store is designed for consumers to purchase applications to run on their devices. Unlike the other AppStores, the Windows Store model needs to coexist with legacy software delivery methods in use by enterprise IT departments such as SCCM.  While inconvenient, this is not a knock against the Windows Store.  Other platforms don’t have this issue because they don’t have any legacy applications or enterprise software delivery models.

What can we do Today?

For now there are really two methods for managing Modern Apps in an enterprise setting:

1. Sideload the application

  • Requires Certificate to sign the app since it will bypass the store validation
  • Requires .Appx Bundle from the application developer / vendor
  • Applications can be inserted into image with DISM
  • Applications can be distributed with System Center Configuration Manager

2. Deep Link the application

  • Requires Windows Store account for each user (does not need to be linked to domain account)
  • Associates application with user
  • Applications cannot be included in image
  • Still requires some user input (not truly silent)

Access to the Windows store can be controlled through group policy.

If you choose to permit users to access the store there is still the ability to restrict or allow specific applications with AppLocker.

Coming with Windows 10

Microsoft has announced that this will get easier with Windows 10. Organizations will be able to setup a private “boutique” within the Windows Store and curate which applications their users will be able to browse and install. Organizations will also be able to use a single store account to make volume purchases and download the installation files and distribute them in ways that make sense for their use cases (machines without internet access, reassigning applications, etc.).

Advertisements

My Top 10 System Center Configuration Manager Resources

Posted on Updated on

I often get asked the following two questions:

  1. I know you blog but why don’t you blog about Configuration Manager as much as other topics?
  2. What are some good resources for learning about Configuration Manager?

The answers to these questions are definitely interrelated. Let me start with the first question:

First of all, although as an MVP I have an NDA with Microsoft that permits me to get some “inside information” from time to time. That same NDA forbids me from blogging about MS products until they are GA. Other bloggers don’t have the same restriction so they can write about new features and releases before the MVP community can. Secondly, and more importantly, there are already many very good blogs on Configuration Manger written by some very knowledgeable people (fellow MVPs in many cases) that know far more about specific parts of Configuration Manager than I do. With all of these fine writers already producing high quality content, it is difficult to add new, unique, and valuable posts.

In order to answer the second question I will act contrary to my answer to the first question and provide you with a list of t some of the resources that I use on a regular basis. I have limited the list to 10 by convention (otherwise it wouldn’t be a top 10 list would it?) – It was very difficult to choose. I apologize in advance to anybody that I may have omitted from the list. In an attempt to avoid any serious comparison algorithms and because I don’t have any hermetically sealed envelopes I have arranged the list in alphabetical order.

1. Configuration Manager Team Blog This is a great place to get news and information about the product. Things like announcements, latest cumulative updates, new features and capabilities can be found here as well as common scenarios and troubleshooting tips. All of this of course courtesy of Microsoft
2. CoreTech Coretech has a lot of high profile bloggers including Kent Agerlund, and Kaido Järvemets. They do a lot of training and consulting and have seen a lot of real world use cases. As such their Configuration Manager Blog is a great resource.
3. Deployment Research MVP Johan Arwidmark has done some extreme deployments. If you want deep dive and troubleshooting information about deployments including some unsupported workarounds (for your lab of course).
4. Enhansoft Enhansoft is a company that focusses on asset management based on Configuration Manager. They have some free tools to help document Configuration Manager implementations. They also give out a free SSRS report every month. MVP Garth Jones, the founder of Enansoft also writes a blog for SMSUG.ca that has lots of sample reports and queries. I borrow from them often.

If you want detailed information about the inner workings of Configuration Manager, Jason Sandys (another MVP) is a fantastic resource. Not only does he understand the detail level, he can explain it in terms that are consumable by non-experts and help them understand the implications and applications. Many of his posts are linked from the Catapult Systems blog site. Not coincidentally Jason is one of the moderators of the Configuration Manager TechNet forums another great resource.
6. MyITForum MyItForum is really a small community (with only 145,000 unique visitors per day). The resources are provided by the members of the community. There are tons of guides and some very good forums. MyItForum is famous for the running of the bulls at MMS to get passes to their famous party. Click here a link to a video about Community and MyITForum from MMS 2012 featuring Rod Trent is the President of MyITForum (and the Community Manager at WindowsItPro)
7. System Center User Group Belgium Lots of good info here including blogs by MVPs Kenny Buntnix and Kim Oppalfens.
8. TechNet TechNet has a lot of good resources including the official Microsoft Document Library for Configuration Manager, Release Notes, and Technical Publications.Configuration Manager TechNet forums is a great place for moderated support. There are other good resources as well such as ConfigMgrDogs.
9. WindowsItPro WindowsItPro is a great resource for IT Pros in general but I like the independent view of the Microsoft world (including System Center) that they provide. As I’m writing this post and looking at their website, I see the System Center section their site framed by no less than six Amazon AWS ads. You won’t see that on the Configuration Manager Team Blog.
10. Windows-Noob.com This is MVP Niall Brady’s blog. IT is a great place to get walkthroughs of every major feature of Configuration Manager. A good starting point for novices and a reference for veterans trying something new or troubleshooting. Although last on this list alphabetically, it should be the noob’s first place to go to check out the SCCM 2012 Guides.

There are many other good blogs, blog aggregators, and knowledge bases out there. You could do pretty well with a good Google or Bing query for a specific topic. For better results, try some of Kim Oppalfens search providers to make it easier. These are just some that I use regularly and the first ten that came to mind.   The selection process was by no means scientific and I was the only member of the selection committee. Full Disclosure – Yes, I do know most of the bloggers but that’s life.

If you have a good source you’d like to share, let me know. Maybe I’ll make a Top 40 list. Again apologies to any good resources that I failed to mention.

Office Bitness (64bit or 32bit / x64 or x86)

Posted on Updated on

I recently had to rebuild my Windows 8.1 laptop. In fact, this is the first real piece of work that I am doing on it while I reinstall apps in the background. As part of the process I had to re-install Microsoft Office. As long as I have been using a 64bit OS as my standard desktop (Windows 7 was the first OS that I only ran as x64)) as I have always used the 64bit version of Office. When downloading the ISO for Office 2013 SP1 from the MS Partner site, I noticed that Microsoft has posted the following message:

Important: Microsoft strongly recommends the use of 32-bit (x86) versions of Office 2013, Project 2013, and Visio 2013 applications as the default option for all platforms. Learn more about the deployment considerations for x64 and x86 at TechNet.

I consider myself somewhat of a technically savvy user (maybe a poor assumption?) and I have always assumed that all things being equal 64bit is better than 32bit. Just like 32bit is better than 16bit (and 16bit is better than 8bit etc.)

So Off I went to TechNet to find out why this strong recommendation from Microsoft. Considering how hard it has been to get users and enterprises to give up Windows XP, you’d think that they want everyone to upgrade to the latest generation of tools right?

Here is the key reason for the strong recommendation directly from TechNet:

32-bit Office is recommended for most users

We recommend the 32-bit version of Office, because it is more compatible with most other applications, especially third-party add-ins. This is why the 32-bit version of Office 2013 is installed by default, even on 64-bit Windows operating systems. On these systems, the 32-bit Office client is supported as a Windows-32-on-Windows-64 (WOW64) installation. WOW64 is the x86 emulator that enables 32-bit Windows-based applications to run seamlessly on 64-bit Windows systems. This lets users continue to use existing Microsoft ActiveX Controls and COM add-ins with 32-bit Office.

So what about my assumption that all things being equal x64 is better than x86? Well, I wasn’t wrong but it turns out that all things aren’t equal. Third party vendors don’t pay equal attention to 32bit office and 64bit office. There are other good reasons to consider Office x86 such as:

  1. The 64-bit version of Microsoft Office isn’t compatible with any other 32-bit version of Office programs. So you must first uninstall all 32-bit versions of Office programs before you install the 64-bit version of Office.
  2. Any add-ins you want to run for Office must also be 64-bit editions.
  3. Third-party ActiveX controls and add-ins. None of these work with the 64-bit version of Office.
  4. There is no 64-bit version of Visual Basic 6, so many of these objects need to be ported and rewritten.
  5. Microsoft Visual Basic for Applications (VBA) won’t work unless you manually update the “Declare” statements.
  6. Compiled Access databases The .MDE and .ACCDE files, a common way for Access application developers to distribute solutions and protect their intellectually property, don’t work in the 64-bit version of Office. You must contact the application developer to recompile, retest, and redistribute the solution in the 64-bit version.

With all of the reasons not to use 64bit Office, why on earth would anyone chose to use it? It still makes sense for some users such as the following examples from TechNet:

  1. Excel expert users who work with complex Excel worksheets can benefit from using 64-bit Office 2013. This is because 64-bit Office doesn’t impose hard limits on file size. Instead, workbook size is limited only by available memory and system resources. On the other hand, 32-bit Office is limited to 2 gigabytes (GB) of virtual address space, shared by Excel, the workbook, and add-ins that run in the same process. (Worksheets smaller than 2 GB on disk might still contain enough data to occupy 2 GB or more of addressable memory.) You can learn more in Excel specifications and limits and Data Model specifications and limits.
  2. Users who use Project 2013 also benefit when they use Project files over 2 GB, especially when they are dealing with many subprojects to a large project.
  3. In-house Office solution developers should have access to the 64-bit Office 2013 for testing and updating these solutions.
  4. Office 2013 offers enhanced default security protections through Hardware Data Execution Prevention (DEP). (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. For 64-bit installs, DEP will always be enforced for Office applications. On 32-bit installs, you can configure DEP by using Group Policy settings.

If you need to deploy both versions of Office with Configuration Manager, you can use the same application with different deployment types as I’ve explained in my previous post Managing 32 bit and 64 bit versions of applications using Global Conditions, Requirement Rules and Deployment Types.

BTW – I’m running 32bit Office now.

 

 

 

Configuration Manager Distribution Points – Use case scenarios

Posted on Updated on

Configuration Manager is a constantly evolving and improving product. Distribution Points (DPs) in Configuration Manager have advanced quite a bit since SCCM 2007. Configuration Manager 2012 introduced bandwidth scheduling and throttling to the DP role. A feature previously limited to secondary sites. For many organizations, secondary sites are no longer required. The new Distribution Point functionality is sufficient to replace many secondary site use cases.

TechNet does a fantastic job of educating IT Pros on what the new features are and how to configure them. What I’m going to attempt to do in this post is help identify the some use case scenarios where they make sense.

Let’s start with a high level review of the different types of Distribution Points (DPs).

Distribution Point Concepts

Distribution Points (DPs) provide content (applications, software updates, etc.) to clients. Boundary groups (groups of boundaries containing AD site info or IP subnet, IP range, IPv6 prefix) are assigned to DPs to help clients locate preferred DPs. A DP can optionally be configured as a fallback content point so that clients that cannot retrieve content from a preferred content point can access it from the fallback location. For a client to successfully retrieve content, it must be in a boundary associated with a boundary group on a preferred or fallback DP.

Standard Distribution Point

A standard Distribution Point is used to serve content to clients. There is a limit of 250 DPs per site (and secondary site).

Use Case:

Pull Distribution Point

A Pull DP is very similar to a Standard DP except that is gets its content from another DP (known as a source DP). This minimizes the load on the site server since the Pull DP manages its own content transfer in much the same way that a Configuration Manager client would. There is limit of 2000 Pull DPs per site (and secondary site)

PXE & Multicast Distribution Points

DPs can be configured to respond to PXE requests and send multicast streams as part of OSD scenarios. In order to support these features, WDS must be installed ad enabled on the distribution points. Both Standard DPs and Pull DPs support PXE and Multicast.

Cloud Distribution Point

A Cloud DP is an Azure hosted distribution point that can be rapidly scaled up or down to meet changing requirements.
IT has many of the advantages of other cloud based IaaS offerings. Cloud DPs do not support OSD or SUS since they do not support PXE or software update packages. There are other limitations as well. For more information on Cloud DPs check TechNet.

Use Case Scenarios

DP Type Sample Use Case
Standard DP Standard DPs make sense anywhere that there are large numbers of clients to serve. Although there is no clear line in the sand, it’s fairly easy to make the case for a DP at a location with more than 50 clients.
Pull DP Augment the number of DPs beyond 250 per site (up to 2250) and or minimize the content distribution load on the site server(s).
PXE & Multicast DP Support for OSD. Example Migration from Windows XP to Windows 7 , 8, 8.1, etc.
Cloud DP Support for elastic operations such as a temporarily large distribution to clients. Example, rollout of a new CRM tool.

Depending on the complexity of your environment you may need to mix and match DPs to meet your specific requirements. Of course, all of these scenarios can be made more efficient by incorporating BranchCache support on clients. For more information on how to use BranchCache to optimize software distribution while minimizing infrastructure components see my post on CanITPro.

What’s New in System Center 2012 Configuration Manager R2?

Posted on Updated on

While Windows 8.1 and Windows Server 2012 R2 was released earlier this month, when nobody was looking, System Center 2012 Configuration Manager R2 came out. Did anybody notice? Aside from support for Windows 8.1 and Windows Server 2012 R2, there are a quite a few new features. I understand that many organizations typically wait before deploying new versions of products but what’s in store for those who are ready to install if only for evaluation purposes? Here are the features that I’m most interested in exploring:

Profiles. Profiles, Profiles

A raft of new profile types can be managed including Remote Connection profiles, VPN profiles, Wi-Fi profiles, and Certificate profiles. This can really simplify the management of some complex settings across devices.

Client reassignment

Reassign clients to another site in the hierarchy. This will primarily be useful for large organizations with a CAS.

Mobile Devices

Many new features and enhancements including user self-enrollment for Android and iOS using the company portal app. Another neat new feature that I’m excited about is support for personal and corporate owned devices. This feature will be useful in lifecycle management and BYOD scenarios where a selective wipe makes more sense when a device is lost. There are also some new compliance settings specifically targeted at mobile devices.

Software Distribution and Application Management

There’s a new Deployment Type for web based applications. This is really just a way to manage links to web based applications but it does help to simplify and centralize all software deployments. There are also some new features that are intended to help manage scenarios that include Windows Store Apps and the company portal.

Software Updates

There are some enhancements to ADRs as well as a new type of maintenance window specifically for Software Updates. I can see this being very useful for organizations that need to manage software updates on a different schedule that normal application deployments.

PowerShell

There are fifty new PowerShell commandlets – My colleague Sean will be excited about this.

Check out fellow MVP Kent Agerlund’s TechEd New Zealand’s presentation for some demos of some of the changes. For a full list of the changes and additions in Configuration Manager 2012 R2 check TechNet

You want me to pay twice? Why aren’t more organizations SCEPtical?

Posted on Updated on

I’m not a licensing expert and I don’t play one on TV but it occurs to me that many organizations are paying twice for their endpoint protection solutions. I have been involved in over two dozen System Center 2012 Configuration Manager deployments and only one of the organizations was even mildly interested in System Center Endpoint Protection. My understanding is that the System Center Endpoint Protection (SCEP) CAL is included in the System Center 2012 Configuration Manager CAL. So at least from a licensing perspective if you already have Configuration Manager, you have SCEP. So why are organizations paying Symantec, McAfee, Trend, or some other endpoint protection vendor in addition to Microsoft? I understand that SCEP may not fit the bill for some organizations and that they may have specific requirements that need to be addressed by their chosen solution but doesn’t it make sense to at least evaluate the SCEP option – especially if you have already paid for it? What are some of the possible reasons that SCEP is flying under the radar of most organizations?

  1. Microsoft isn’t in the Gartner Magic Quadrant, they are in the Challenger’s quadrant.
  2. There have been very few independent reviews of SCEP apart from one pseudo review since it really isn’t a stand-alone product but part of a suite.
  3. Microsoft isn’t really pushing the solution since there is no financial upside (the product is already sold, just not deployed).
  4. Organizations are complacent and don’t have the time or desire to make a change.

What are some of the reason’s that an organization might want to try out SCEP?

  1. Save money! The license is already owned as part of Configuration Manager. Why continue to pay another provider until you’ve at least evaluated it for your particular use cases?
  2. Minimize infrastructure and administrative overhead. Configuration Manager already has the infrastructure for managing client configurations and moving software and updates to them as part of software distribution and patch management solutions. This is essentially the same managing endpoint policies and distributing malware signature files. Why maintain a duplicate infrastructure for third party endpoint clients and signature files and train administrators on multiple products?
  3. Unified security posture visibility. When you need to understand your complete desktop security posture, do you want to get one report from your endpoint solution and another form your patch management solution to and try to correlate the data to understand your actual security posture? Wouldn’t you rather have a single repository for all of the relevant data and be able to create a unified report? What about integrating endpoint protection policies with compliance management built in to Configuration Manager?

What are you waiting for? Start being SCEPtical. Turn on System Center Endpoint Protection!

Microsoft’s MDM Toolset

Posted on Updated on

I get a lot of questions about Microsoft’s mobile device management (MDM) strategy. It can be confusing because to achieve the full spectrum of management functionality, multiple Microsoft products are required:

  1. Exchange ActiveSync (EAS)
  2. System Center 2012 Configuration Manager
  3. Windows Intune

Can you do some MDM with only EAS? Of course. Can you do MDM with only Intune? Absolutely. So how do you explain this multi-product approach to MDM? Although not strictly true, the way I like to look at it is as a series of layers, with each layer adding additional functionality, and Configuration Manager bringing it all together.

Exchange ActiveSync (EAS) Configuration Manager Intune
  • Configuration Manager, through the Exchange connector, exposes the policy objects in the Configuration Manager console to create collection specific policies.
  • Configuration Manager provides additional value in the form of asset inventory of devices connecting through EAS as well as reporting and compliance management of EAS policies on the devices.
  • Configuration Manager provides the single pane of glass for managing EAS and Intune enrolled devices.
  • Intune provides the bridge to the vendor specific application stores “App Stores” (E.g. iTunes, Google Play, Windows Phone Store, etc.)
  • Additional policies and enforcement
  • Intune provides application management and hardware lifecycle management (enroll, manage, retire).
  • Intune provides interesting options like selective wipe and application delivery.

Microsoft calls this approach Unified Device Management (UDM) since it goes beyond simply managing mobile devices.  Using the MS approach all devices including servers, desktops, laptops, tablets, and mobile phones can be managed with the same tool set.  Some might consider this too confusing and prefer a point solution with less moving parts, however, consider the following:

  1. Many organizations already have Configuration Manager in place
  2. Many organizations already have Exchange or hosted Exchange in place
  3. Using an incremental approach allows you to start small using the pieces you already have without purchasing new software and tailor the solution to your specific needs while controlling costs

Start with Exchange and Configuration Manager and add InTune when and where it makes sense.