In the last few years SCCM has been introducing new features to the software update workflow to help with server update scenarios. Features such as Server Groups, maintenance windows, and Pre and Post deployment actions allow an unprecedented level of control over how and when servers are patched.
Top 10 Reasons to use SCCM for Server Updates
So what are some of the benefits of using SCCM to update servers compared to other tools like WSUS? Consider the following:
- Granular Deployment Control – Unlimited number of Collections based on Technology and Business requirements
- Automated Maintenance Windows – Patches will only deploy during scheduled maintenance windows
- Pre and Post Automation – Run Scripts before and after Updates (Example: Create a VM snapshot)
- Restart Management – Control over Server restart behaviour
- Automated Deployment Rules – Automate repetitive business logic based patching scenarios based on predetermined selection criteria such as platform, product, classification etc.
- Update Templates – Create scenario based templates to accelerate patching and minimize errors
- Rich reporting – Dozens of canned reports for updates management and status as well as the option for custom reports
- Bandwidth management and optimization – Use local repositories and peer caching to minimize the amount of network load and accelerate deployments. Schedule and throttle bandwidth usage based on time of day.
- Server Group Control – Logic based on number, percent and order of servers to be patched at any given time. Ideal for clusters and load balanced services.
- Query based targeting – richer targeting based on asset inventory data
That’s a lot of control and conceptually difficult to understand. I used to love the superflows in the old SMS documentation. I’ve created a miniflow of my own to help you understand how some of the new features can be used to take better control of the server update process.
Microsoft announced on February 1st that they will be adding another six months to the supprot of Windows 10 version 1607, 1703, and 1709.
|Release||Release Date||End of Support||End of Additional Servicing for Enterprise & Education|
|Windows 10 1511||November 10, 2015||October 10, 2017||April 10, 2018|
|Windows 10 1607||August 2, 2016||April 10, 2018||October 9, 2018|
|Windows 10 1703||April 5, 2017||October 9, 2018||April 9, 2019|
|Windows 10 1709||October 17, 2017||April 9, 2019||October 9, 2019|
Up to this point Microsoft has offered 18 months of support for each Windows 10 release. This extension seems a direct repsonse from enterprise customers struggling to keep pace with the rapid release cycle and short support windows associated with Windows as a Service.
Windows as a Service isnto only new for customers. It’s new for Microsoft as well. As they figure out how fast customers can ingest all of the innovatiosn comign out of Redmond, we’ll see the release cycles stabailze and balance update frequency with upgrade readiness.
For organizations that are having trouble transitioning engineerg efforts traditional associated with operating system updates to a more operational model, tools like Intune and SCCM can help accelerate the transion. I’ll be writng a few pieces in the future on how to take advantage of these types of tools to simplify Windows 10 update management.
Is SCCM right for you or is InTune a better fit? Why choose? Use Both!
Beginning with the Fall Creators Update for Windows 10 (aka 1709) Windows 10 devices will be able to join both on premise AD domains as well as the Azure AD service. This opens the door to have devices managed by both SCCM and Intune. While administrators can use co-management to split up specific servicing workflows such as using SCCM for application deployment and Intune for update management so that devices get updates wherever they are, the co-management bridge is intended to simplify the migration to cloud based modern management services and not a long term solution. It would be really nice to be able to mix and match servicing scenarios so that as a device moves between on premise and off premise they are serviced by the most appropriate tool however at first glance this functionality is not readily apparent.
Now that Autopilot is available for Operating System Deployments, Intune + Autopilot provides a credible solution for full device lifecycle management for many use case scenarios. I expect to see more organizations using the co-management bridge to begin their migration to modern management.
I still use a Surface Pro 3 and many of my customers use SCCM to manage Surface devices. In fact, The Surface Pro is the tablet of choice in the Canadian federal government. So how is this related to SCCM 1706? While there are many new features in SCCM 1706 that you can read about here, there is a pre-release feature that is particularly interesting to anyone that has to manage Surface devices. The feature provides the ability to manage MS Surface driver updates with SCCM.
- All software update points must run Windows Server 2016.
- This is a pre-release feature that you must turn on for it to be available. For more information, see Use pre-release features from updates.
To manage Surface driver updates
- Enable Synchronization for Microsoft Surface drivers. Use the procedure in Configure classification and products and select the Include Microsoft Surface drivers and firmware updates checkbox on the Classifications tab to enable Surface drivers.
- Synchronize the Microsoft Surface drivers.
- Deploy synchronized Microsoft Surface drivers
Managing Windows 8.1 and the MS Surface in the Enterprise – Part 2: Deployment with System Center Configuration Manager
I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal. This is the second installment in the series. Here is a link to part 1 – Who’s Minding the Store.
As more and more organizations are deploying Surface devices there are some special considerations when deploying with Configuration Manager:
- Since the Surface doesn’t have a physical NIC, if you will probably need a USB NIC or docking station. If you are reusing the same dock or USB NIC, Configuration Manager will need to have the MAC address of the NIC cleaned out after each deployment. This blog provides more information on the issue and provides a script that can be used for the cleanup.
- The Surface Pro 3 Class 3 UEFI device. In order to support PXE bot for such a device Windows Deployment Services(WDS) must be at least Windows Server 2008R2 with Windows Server 2012 Boot image (Windows Server 2012R2 WDS with 2012R2 boot image is recommended)
- DHCP Scope Options 66/67 will not work with mix of BIOS and UEFI systems. Ip helpers must be used instead.
You may want to download the Deployment and Administration Guide for Surface Pro 3.
Love it or hate it, but Windows 8.1 was intended to be both a desktop and “device” operating system. There have been many articles written about how well it succeeds or fails at one or both of those objectives. Regardless of how you feel about Windows 8.1, if you are tasked with managing it in you enterprise, you don’t need another rant / rave post. You need some guidance on how to manage some of the intricacies that Windows 8.1 and some device form factors like the Surface bring into play. That’s what this series of posts aims to do.
I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal.
As part of Microsoft’s attempt to create an OS that is appealing to tablet device users, Microsoft introduced the Windows Store. The Windows Store is Microsoft’s version of Google Play, Apples iTunes App Store, the Amazon Appstore for Android and many other sources for device based apps. The current incarnation of the Windows Store showcases Modern UI (formerly known as Metro) applications.
Like the other AppStores, the Windows store is designed for consumers to purchase applications to run on their devices. Unlike the other AppStores, the Windows Store model needs to coexist with legacy software delivery methods in use by enterprise IT departments such as SCCM. While inconvenient, this is not a knock against the Windows Store. Other platforms don’t have this issue because they don’t have any legacy applications or enterprise software delivery models.
What can we do Today?
For now there are really two methods for managing Modern Apps in an enterprise setting:
- Requires Certificate to sign the app since it will bypass the store validation
- Requires .Appx Bundle from the application developer / vendor
- Applications can be inserted into image with DISM
- Applications can be distributed with System Center Configuration Manager
- Requires Windows Store account for each user (does not need to be linked to domain account)
- Associates application with user
- Applications cannot be included in image
- Still requires some user input (not truly silent)
Access to the Windows store can be controlled through group policy.
If you choose to permit users to access the store there is still the ability to restrict or allow specific applications with AppLocker.
Coming with Windows 10
Microsoft has announced that this will get easier with Windows 10. Organizations will be able to setup a private “boutique” within the Windows Store and curate which applications their users will be able to browse and install. Organizations will also be able to use a single store account to make volume purchases and download the installation files and distribute them in ways that make sense for their use cases (machines without internet access, reassigning applications, etc.).
Microsoft’s Surface Tablet/hybrid has been steadily gaining traction in as both a consumer device and a business tool. I use mine for both personal and business use. I haven’t turned on my iPad in over 5 months and I’m only using my laptop as a test bed for pre-release versions of Windows 10. My Surface Pro 3 has become my go to device. My mobile phone and Surface meet 95% of my requirements without any compromise.
Microsoft has been rolling out Surface drivers and firmware updates through the Windows Update service. This works great for personal devices but IT departments have struggled to keep the devices updated using their traditional tools.
Enterprises need the ability to roll out Surface Updates with procedures that adhere to best practices and integrate into the processes that are already in place for other domain joined devices such as Windows Intune and System Center Configuration Manager (SCCM).
The Homebrew Solution
What does a smart Sysadmin do to solve the problem? He (or she) builds their own cumulative update payload that includes all updates including (patches, firmware, and drivers). Make it easy to manage and install in unattended mode with a smart wrapper like PowerShell or Windows Installer / MSI.
The Microsoft Solution
Microsoft has released a solution that meets all of the requirements of the homebrew solution but you don’t have to build it yourself. Here’s a link to the January payload. There are multiple files that can be downloaded from the link. Select the Surface Pro 3 January 2015 MSI.zip
It will install all drivers and firmware that have been released through January 2015. As new updates are released new MSI files will be available for download.
- It doesn’t contain all Surface Pro 3 drivers, just the driver updates
- Touch firmware updates are not included
- It will create an entry into add/remove programs
- There is an option that allows the installation operations to be logged verbosely for troubleshooting
Here’s a good post with a step-by-step that explains how to use the MSI with System Center Configuration Manager (SCCM) and System Center Updates Publisher (SCUP).
I often get asked the following two questions:
- I know you blog but why don’t you blog about Configuration Manager as much as other topics?
- What are some good resources for learning about Configuration Manager?
The answers to these questions are definitely interrelated. Let me start with the first question:
First of all, although as an MVP I have an NDA with Microsoft that permits me to get some “inside information” from time to time. That same NDA forbids me from blogging about MS products until they are GA. Other bloggers don’t have the same restriction so they can write about new features and releases before the MVP community can. Secondly, and more importantly, there are already many very good blogs on Configuration Manger written by some very knowledgeable people (fellow MVPs in many cases) that know far more about specific parts of Configuration Manager than I do. With all of these fine writers already producing high quality content, it is difficult to add new, unique, and valuable posts.
In order to answer the second question I will act contrary to my answer to the first question and provide you with a list of t some of the resources that I use on a regular basis. I have limited the list to 10 by convention (otherwise it wouldn’t be a top 10 list would it?) – It was very difficult to choose. I apologize in advance to anybody that I may have omitted from the list. In an attempt to avoid any serious comparison algorithms and because I don’t have any hermetically sealed envelopes I have arranged the list in alphabetical order.
|1. Configuration Manager Team Blog||This is a great place to get news and information about the product. Things like announcements, latest cumulative updates, new features and capabilities can be found here as well as common scenarios and troubleshooting tips. All of this of course courtesy of Microsoft|
|2. CoreTech||Coretech has a lot of high profile bloggers including Kent Agerlund, and Kaido Järvemets. They do a lot of training and consulting and have seen a lot of real world use cases. As such their Configuration Manager Blog is a great resource.|
|3. Deployment Research||MVP Johan Arwidmark has done some extreme deployments. If you want deep dive and troubleshooting information about deployments including some unsupported workarounds (for your lab of course).|
|4. Enhansoft||Enhansoft is a company that focusses on asset management based on Configuration Manager. They have some free tools to help document Configuration Manager implementations. They also give out a free SSRS report every month. MVP Garth Jones, the founder of Enansoft also writes a blog for SMSUG.ca that has lots of sample reports and queries. I borrow from them often.|
|If you want detailed information about the inner workings of Configuration Manager, Jason Sandys (another MVP) is a fantastic resource. Not only does he understand the detail level, he can explain it in terms that are consumable by non-experts and help them understand the implications and applications. Many of his posts are linked from the Catapult Systems blog site. Not coincidentally Jason is one of the moderators of the Configuration Manager TechNet forums another great resource.|
|6. MyITForum||MyItForum is really a small community (with only 145,000 unique visitors per day). The resources are provided by the members of the community. There are tons of guides and some very good forums. MyItForum is famous for the running of the bulls at MMS to get passes to their famous party. Click here a link to a video about Community and MyITForum from MMS 2012 featuring Rod Trent is the President of MyITForum (and the Community Manager at WindowsItPro)|
|7. System Center User Group Belgium||Lots of good info here including blogs by MVPs Kenny Buntnix and Kim Oppalfens.|
|8. TechNet||TechNet has a lot of good resources including the official Microsoft Document Library for Configuration Manager, Release Notes, and Technical Publications.Configuration Manager TechNet forums is a great place for moderated support. There are other good resources as well such as ConfigMgrDogs.|
|9. WindowsItPro||WindowsItPro is a great resource for IT Pros in general but I like the independent view of the Microsoft world (including System Center) that they provide. As I’m writing this post and looking at their website, I see the System Center section their site framed by no less than six Amazon AWS ads. You won’t see that on the Configuration Manager Team Blog.|
|10. Windows-Noob.com||This is MVP Niall Brady’s blog. IT is a great place to get walkthroughs of every major feature of Configuration Manager. A good starting point for novices and a reference for veterans trying something new or troubleshooting. Although last on this list alphabetically, it should be the noob’s first place to go to check out the SCCM 2012 Guides.|
There are many other good blogs, blog aggregators, and knowledge bases out there. You could do pretty well with a good Google or Bing query for a specific topic. For better results, try some of Kim Oppalfens search providers to make it easier. These are just some that I use regularly and the first ten that came to mind. The selection process was by no means scientific and I was the only member of the selection committee. Full Disclosure – Yes, I do know most of the bloggers but that’s life.
If you have a good source you’d like to share, let me know. Maybe I’ll make a Top 40 list. Again apologies to any good resources that I failed to mention.
Configuration Manager is a constantly evolving and improving product. Distribution Points (DPs) in Configuration Manager have advanced quite a bit since SCCM 2007. Configuration Manager 2012 introduced bandwidth scheduling and throttling to the DP role. A feature previously limited to secondary sites. For many organizations, secondary sites are no longer required. The new Distribution Point functionality is sufficient to replace many secondary site use cases.
TechNet does a fantastic job of educating IT Pros on what the new features are and how to configure them. What I’m going to attempt to do in this post is help identify the some use case scenarios where they make sense.
Let’s start with a high level review of the different types of Distribution Points (DPs).
Distribution Point Concepts
Distribution Points (DPs) provide content (applications, software updates, etc.) to clients. Boundary groups (groups of boundaries containing AD site info or IP subnet, IP range, IPv6 prefix) are assigned to DPs to help clients locate preferred DPs. A DP can optionally be configured as a fallback content point so that clients that cannot retrieve content from a preferred content point can access it from the fallback location. For a client to successfully retrieve content, it must be in a boundary associated with a boundary group on a preferred or fallback DP.
Standard Distribution Point
A standard Distribution Point is used to serve content to clients. There is a limit of 250 DPs per site (and secondary site).
Pull Distribution Point
A Pull DP is very similar to a Standard DP except that is gets its content from another DP (known as a source DP). This minimizes the load on the site server since the Pull DP manages its own content transfer in much the same way that a Configuration Manager client would. There is limit of 2000 Pull DPs per site (and secondary site)
PXE & Multicast Distribution Points
DPs can be configured to respond to PXE requests and send multicast streams as part of OSD scenarios. In order to support these features, WDS must be installed ad enabled on the distribution points. Both Standard DPs and Pull DPs support PXE and Multicast.
Cloud Distribution Point
A Cloud DP is an Azure hosted distribution point that can be rapidly scaled up or down to meet changing requirements.
IT has many of the advantages of other cloud based IaaS offerings. Cloud DPs do not support OSD or SUS since they do not support PXE or software update packages. There are other limitations as well. For more information on Cloud DPs check TechNet.
Use Case Scenarios
|DP Type||Sample Use Case|
|Standard DP||Standard DPs make sense anywhere that there are large numbers of clients to serve. Although there is no clear line in the sand, it’s fairly easy to make the case for a DP at a location with more than 50 clients.|
|Pull DP||Augment the number of DPs beyond 250 per site (up to 2250) and or minimize the content distribution load on the site server(s).|
|PXE & Multicast DP||Support for OSD. Example Migration from Windows XP to Windows 7 , 8, 8.1, etc.|
|Cloud DP||Support for elastic operations such as a temporarily large distribution to clients. Example, rollout of a new CRM tool.|
Depending on the complexity of your environment you may need to mix and match DPs to meet your specific requirements. Of course, all of these scenarios can be made more efficient by incorporating BranchCache support on clients. For more information on how to use BranchCache to optimize software distribution while minimizing infrastructure components see my post on CanITPro.
While Windows 8.1 and Windows Server 2012 R2 was released earlier this month, when nobody was looking, System Center 2012 Configuration Manager R2 came out. Did anybody notice? Aside from support for Windows 8.1 and Windows Server 2012 R2, there are a quite a few new features. I understand that many organizations typically wait before deploying new versions of products but what’s in store for those who are ready to install if only for evaluation purposes? Here are the features that I’m most interested in exploring:
Profiles. Profiles, Profiles
A raft of new profile types can be managed including Remote Connection profiles, VPN profiles, Wi-Fi profiles, and Certificate profiles. This can really simplify the management of some complex settings across devices.
Reassign clients to another site in the hierarchy. This will primarily be useful for large organizations with a CAS.
Many new features and enhancements including user self-enrollment for Android and iOS using the company portal app. Another neat new feature that I’m excited about is support for personal and corporate owned devices. This feature will be useful in lifecycle management and BYOD scenarios where a selective wipe makes more sense when a device is lost. There are also some new compliance settings specifically targeted at mobile devices.
Software Distribution and Application Management
There’s a new Deployment Type for web based applications. This is really just a way to manage links to web based applications but it does help to simplify and centralize all software deployments. There are also some new features that are intended to help manage scenarios that include Windows Store Apps and the company portal.
There are some enhancements to ADRs as well as a new type of maintenance window specifically for Software Updates. I can see this being very useful for organizations that need to manage software updates on a different schedule that normal application deployments.
Check out fellow MVP Kent Agerlund’s TechEd New Zealand’s presentation for some demos of some of the changes. For a full list of the changes and additions in Configuration Manager 2012 R2 check TechNet