In the last few years SCCM has been introducing new features to the software update workflow to help with server update scenarios. Features such as Server Groups, maintenance windows, and Pre and Post deployment actions allow an unprecedented level of control over how and when servers are patched.
Top 10 Reasons to use SCCM for Server Updates
So what are some of the benefits of using SCCM to update servers compared to other tools like WSUS? Consider the following:
- Granular Deployment Control – Unlimited number of Collections based on Technology and Business requirements
- Automated Maintenance Windows – Patches will only deploy during scheduled maintenance windows
- Pre and Post Automation – Run Scripts before and after Updates (Example: Create a VM snapshot)
- Restart Management – Control over Server restart behaviour
- Automated Deployment Rules – Automate repetitive business logic based patching scenarios based on predetermined selection criteria such as platform, product, classification etc.
- Update Templates – Create scenario based templates to accelerate patching and minimize errors
- Rich reporting – Dozens of canned reports for updates management and status as well as the option for custom reports
- Bandwidth management and optimization – Use local repositories and peer caching to minimize the amount of network load and accelerate deployments. Schedule and throttle bandwidth usage based on time of day.
- Server Group Control – Logic based on number, percent and order of servers to be patched at any given time. Ideal for clusters and load balanced services.
- Query based targeting – richer targeting based on asset inventory data
That’s a lot of control and conceptually difficult to understand. I used to love the superflows in the old SMS documentation. I’ve created a miniflow of my own to help you understand how some of the new features can be used to take better control of the server update process.
I often get asked the following two questions:
- I know you blog but why don’t you blog about Configuration Manager as much as other topics?
- What are some good resources for learning about Configuration Manager?
The answers to these questions are definitely interrelated. Let me start with the first question:
First of all, although as an MVP I have an NDA with Microsoft that permits me to get some “inside information” from time to time. That same NDA forbids me from blogging about MS products until they are GA. Other bloggers don’t have the same restriction so they can write about new features and releases before the MVP community can. Secondly, and more importantly, there are already many very good blogs on Configuration Manger written by some very knowledgeable people (fellow MVPs in many cases) that know far more about specific parts of Configuration Manager than I do. With all of these fine writers already producing high quality content, it is difficult to add new, unique, and valuable posts.
In order to answer the second question I will act contrary to my answer to the first question and provide you with a list of t some of the resources that I use on a regular basis. I have limited the list to 10 by convention (otherwise it wouldn’t be a top 10 list would it?) – It was very difficult to choose. I apologize in advance to anybody that I may have omitted from the list. In an attempt to avoid any serious comparison algorithms and because I don’t have any hermetically sealed envelopes I have arranged the list in alphabetical order.
|1. Configuration Manager Team Blog||This is a great place to get news and information about the product. Things like announcements, latest cumulative updates, new features and capabilities can be found here as well as common scenarios and troubleshooting tips. All of this of course courtesy of Microsoft|
|2. CoreTech||Coretech has a lot of high profile bloggers including Kent Agerlund, and Kaido Järvemets. They do a lot of training and consulting and have seen a lot of real world use cases. As such their Configuration Manager Blog is a great resource.|
|3. Deployment Research||MVP Johan Arwidmark has done some extreme deployments. If you want deep dive and troubleshooting information about deployments including some unsupported workarounds (for your lab of course).|
|4. Enhansoft||Enhansoft is a company that focusses on asset management based on Configuration Manager. They have some free tools to help document Configuration Manager implementations. They also give out a free SSRS report every month. MVP Garth Jones, the founder of Enansoft also writes a blog for SMSUG.ca that has lots of sample reports and queries. I borrow from them often.|
|If you want detailed information about the inner workings of Configuration Manager, Jason Sandys (another MVP) is a fantastic resource. Not only does he understand the detail level, he can explain it in terms that are consumable by non-experts and help them understand the implications and applications. Many of his posts are linked from the Catapult Systems blog site. Not coincidentally Jason is one of the moderators of the Configuration Manager TechNet forums another great resource.|
|6. MyITForum||MyItForum is really a small community (with only 145,000 unique visitors per day). The resources are provided by the members of the community. There are tons of guides and some very good forums. MyItForum is famous for the running of the bulls at MMS to get passes to their famous party. Click here a link to a video about Community and MyITForum from MMS 2012 featuring Rod Trent is the President of MyITForum (and the Community Manager at WindowsItPro)|
|7. System Center User Group Belgium||Lots of good info here including blogs by MVPs Kenny Buntnix and Kim Oppalfens.|
|8. TechNet||TechNet has a lot of good resources including the official Microsoft Document Library for Configuration Manager, Release Notes, and Technical Publications.Configuration Manager TechNet forums is a great place for moderated support. There are other good resources as well such as ConfigMgrDogs.|
|9. WindowsItPro||WindowsItPro is a great resource for IT Pros in general but I like the independent view of the Microsoft world (including System Center) that they provide. As I’m writing this post and looking at their website, I see the System Center section their site framed by no less than six Amazon AWS ads. You won’t see that on the Configuration Manager Team Blog.|
|10. Windows-Noob.com||This is MVP Niall Brady’s blog. IT is a great place to get walkthroughs of every major feature of Configuration Manager. A good starting point for novices and a reference for veterans trying something new or troubleshooting. Although last on this list alphabetically, it should be the noob’s first place to go to check out the SCCM 2012 Guides.|
There are many other good blogs, blog aggregators, and knowledge bases out there. You could do pretty well with a good Google or Bing query for a specific topic. For better results, try some of Kim Oppalfens search providers to make it easier. These are just some that I use regularly and the first ten that came to mind. The selection process was by no means scientific and I was the only member of the selection committee. Full Disclosure – Yes, I do know most of the bloggers but that’s life.
If you have a good source you’d like to share, let me know. Maybe I’ll make a Top 40 list. Again apologies to any good resources that I failed to mention.
For some organizations, just catching their breath from a Windows XP end of life that took them by surprise and more time and effort than they anticipated, I have some bad news: There is no rest for the weary. The next big end of support horizon that you need to be concerned about is Windows Server 2003/R2 on July 14th of next year. That’s 322 days as of this writing.
What does End of Support Mean?
Under Extended Support last calendar year (2013), Microsoft released 37 critical updates for Windows Server 2003/R2. No new updates will be developed or released after July 14th, 2015.
Lack of compliance with various regulatory and industry standards and regulations can have a huge impact on an organization For example, lack of compliance with the Payment Card Industry (PCI) Data Security Standards might mean that your organization can no longer accept major credit cards without using a third party (which might prove costly if not inconvenient).
No safe haven
Both virtual and physical instances of Windows Server 2003/R2 and Microsoft Small business Server (SBS) 2003 are vulnerable and would probably not pass a compliance audit.
How big a job is this?
Microsoft estimates that at the enterprise level, the average server migration take approximately 200 days of elapsed time and the average application migration takes close to 300 days. Of course these numbers are not based on level of effort but from project start to finish (consider project planning, needs analysis, procurement, testing, etc.).
So how do we make best use of the time we have left? I would hope that as we are fresh from out Windows XP migrations, we have learned some lessons that we can apply to accelerate our Windows Server 2003/R2 migrations. Two key learnings that I’d like to explore in this post are concern application compatibility and application deployment.
The biggest issues that most organizations will face will be around application compatibility. What we have found in our Windows XP migrations is that there is a class of applications that no matter what you do cannot be made compatible without some recompiling at a minimum. The applications I am referring to are 16-bit applications. The reason for this is based on the implementations of Windows-on-Windows (WoW):
- Wow can be used to run 16-bit applications on a 32-bit Windows OS
- Wow can be used to run 32-bit applications on a 64-bit Windows OS
- Wow can NOT be used to run 16-bit applications on a 64-bit Windows OS
These same issues will present themselves with Server 2003/R2 migrations. However; if you are moving to Windows Server 2012/R2 (and why wouldn’t you?) – there is no 32-bit version available. Applications that are susceptible to these compatibility issues need o be dealt with in a different manner. Perhaps a small pool of 32-bit Windows Server 2008 servers. You will have until 2020 until extended support for Server 2008 runs out.
As part of migrating and existing application or deploying a new application, best practices would recommend having at a minimum of three segregated environments:
Virtualization has made this much more economical and accessible to smaller organizations. One of the issues I see is moving applications between the environments. I can be time consuming and error prone. One way to minimize the level of effort and increase the accuracy is to use Server App-V. Server App-V (part of System Center Virtual Machine Manager) is a technology that enables virtualization of server applications. With Server App-V, you can create a package that contains all of the required elements of an application (including configuration information) and deploy it simply by “copying” the package to the target server. No changes (registry, service, COM, DCOM, COM+, WMI, etc.) are required on the target server. Server App-V addresses the full lifecycle of an application including deployment, updating, and retiring.
Server App-V is can be used with or without SCVMM but the greatest advantage to the technology comes from integrating packages into VMM Service Templates.
Now go out and upgrade those servers.
Microsoft’s newest Billion Dollar business units include Office 365 and Azure. There’s lots of marketing, sales, and ROI information about Office365 and cloud services in general. So I’m not going to bore you with another post about how to save your organization money or accelerate value by adopting Office365. I’m going to describe two real world use cases that I have personally found Office365 to help with. I might even through in some anecdotal cost benefit analysis but my main purpose is to explore some less common uses for Office 365 that you may not have thought of.
The two scenarios are:
- External consultants
- Text and Development
I manage a team of consultants that regularly have to work at client sites. Often at some very security conscious organizations. We can’t always use our own laptops in their environment or if we can it is typically through guest wireless networks. We’ve encountered situations where the guest wireless prevents us from connecting back to our office through VPN. This makes it difficult to access some of our collaboration services like SharePoint. We have moved my team to Office365 specifically to do things like coauthoring documents in SharePoint from customer sites. This enables some interesting scenarios. We’ve had cases where an offsite consultant was able to review and update some documentation while it was being simultaneously authored by another consultant working in our lab.
Test and Development
We do a lot of System Center work. System Center is a complex suite of products that interact with each other as well as core Windows infrastructure like Active Directory and Exchange. When we are building out a proof of concept for a customer, they typically don’t want us to touch their production AD and Exchange environments. I don’t blame them. Ultimately in order to complete the project we would need to somehow build out an Active Directory and Exchange infrastructure dedicated to the proof of concept or pilot. Consider the additional costs in hardware, software, and time required to accomplish this. Lately we’ve started using Office365 to provide Exchange services. It takes minutes to provision and connect to. Examples we’ve used recently include the Exchange connector for Configuration Manager and Service Manager. Using this approach, in under and hour I was able to get more than a half dozen mobile devices loaded into Configuration Manager for a MDM/UDM proof of concept without touching any production AD or Exchange infrastructure simply by adding an additional email account the devices.
We’ve extended this to Azure as well. We have been using Azure to host System Center instances for proof of concept and sandbox deployments. I’m looking forward to combining Azure with Office365 to further accelerate our pilots and proofs of concept deployments.
Configuration Manager is a constantly evolving and improving product. Distribution Points (DPs) in Configuration Manager have advanced quite a bit since SCCM 2007. Configuration Manager 2012 introduced bandwidth scheduling and throttling to the DP role. A feature previously limited to secondary sites. For many organizations, secondary sites are no longer required. The new Distribution Point functionality is sufficient to replace many secondary site use cases.
TechNet does a fantastic job of educating IT Pros on what the new features are and how to configure them. What I’m going to attempt to do in this post is help identify the some use case scenarios where they make sense.
Let’s start with a high level review of the different types of Distribution Points (DPs).
Distribution Point Concepts
Distribution Points (DPs) provide content (applications, software updates, etc.) to clients. Boundary groups (groups of boundaries containing AD site info or IP subnet, IP range, IPv6 prefix) are assigned to DPs to help clients locate preferred DPs. A DP can optionally be configured as a fallback content point so that clients that cannot retrieve content from a preferred content point can access it from the fallback location. For a client to successfully retrieve content, it must be in a boundary associated with a boundary group on a preferred or fallback DP.
Standard Distribution Point
A standard Distribution Point is used to serve content to clients. There is a limit of 250 DPs per site (and secondary site).
Pull Distribution Point
A Pull DP is very similar to a Standard DP except that is gets its content from another DP (known as a source DP). This minimizes the load on the site server since the Pull DP manages its own content transfer in much the same way that a Configuration Manager client would. There is limit of 2000 Pull DPs per site (and secondary site)
PXE & Multicast Distribution Points
DPs can be configured to respond to PXE requests and send multicast streams as part of OSD scenarios. In order to support these features, WDS must be installed ad enabled on the distribution points. Both Standard DPs and Pull DPs support PXE and Multicast.
Cloud Distribution Point
A Cloud DP is an Azure hosted distribution point that can be rapidly scaled up or down to meet changing requirements.
IT has many of the advantages of other cloud based IaaS offerings. Cloud DPs do not support OSD or SUS since they do not support PXE or software update packages. There are other limitations as well. For more information on Cloud DPs check TechNet.
Use Case Scenarios
|DP Type||Sample Use Case|
|Standard DP||Standard DPs make sense anywhere that there are large numbers of clients to serve. Although there is no clear line in the sand, it’s fairly easy to make the case for a DP at a location with more than 50 clients.|
|Pull DP||Augment the number of DPs beyond 250 per site (up to 2250) and or minimize the content distribution load on the site server(s).|
|PXE & Multicast DP||Support for OSD. Example Migration from Windows XP to Windows 7 , 8, 8.1, etc.|
|Cloud DP||Support for elastic operations such as a temporarily large distribution to clients. Example, rollout of a new CRM tool.|
Depending on the complexity of your environment you may need to mix and match DPs to meet your specific requirements. Of course, all of these scenarios can be made more efficient by incorporating BranchCache support on clients. For more information on how to use BranchCache to optimize software distribution while minimizing infrastructure components see my post on CanITPro.
While Windows 8.1 and Windows Server 2012 R2 was released earlier this month, when nobody was looking, System Center 2012 Configuration Manager R2 came out. Did anybody notice? Aside from support for Windows 8.1 and Windows Server 2012 R2, there are a quite a few new features. I understand that many organizations typically wait before deploying new versions of products but what’s in store for those who are ready to install if only for evaluation purposes? Here are the features that I’m most interested in exploring:
Profiles. Profiles, Profiles
A raft of new profile types can be managed including Remote Connection profiles, VPN profiles, Wi-Fi profiles, and Certificate profiles. This can really simplify the management of some complex settings across devices.
Reassign clients to another site in the hierarchy. This will primarily be useful for large organizations with a CAS.
Many new features and enhancements including user self-enrollment for Android and iOS using the company portal app. Another neat new feature that I’m excited about is support for personal and corporate owned devices. This feature will be useful in lifecycle management and BYOD scenarios where a selective wipe makes more sense when a device is lost. There are also some new compliance settings specifically targeted at mobile devices.
Software Distribution and Application Management
There’s a new Deployment Type for web based applications. This is really just a way to manage links to web based applications but it does help to simplify and centralize all software deployments. There are also some new features that are intended to help manage scenarios that include Windows Store Apps and the company portal.
There are some enhancements to ADRs as well as a new type of maintenance window specifically for Software Updates. I can see this being very useful for organizations that need to manage software updates on a different schedule that normal application deployments.
Check out fellow MVP Kent Agerlund’s TechEd New Zealand’s presentation for some demos of some of the changes. For a full list of the changes and additions in Configuration Manager 2012 R2 check TechNet
I’m not a licensing expert and I don’t play one on TV but it occurs to me that many organizations are paying twice for their endpoint protection solutions. I have been involved in over two dozen System Center 2012 Configuration Manager deployments and only one of the organizations was even mildly interested in System Center Endpoint Protection. My understanding is that the System Center Endpoint Protection (SCEP) CAL is included in the System Center 2012 Configuration Manager CAL. So at least from a licensing perspective if you already have Configuration Manager, you have SCEP. So why are organizations paying Symantec, McAfee, Trend, or some other endpoint protection vendor in addition to Microsoft? I understand that SCEP may not fit the bill for some organizations and that they may have specific requirements that need to be addressed by their chosen solution but doesn’t it make sense to at least evaluate the SCEP option – especially if you have already paid for it? What are some of the possible reasons that SCEP is flying under the radar of most organizations?
- Microsoft isn’t in the Gartner Magic Quadrant, they are in the Challenger’s quadrant.
- There have been very few independent reviews of SCEP apart from one pseudo review since it really isn’t a stand-alone product but part of a suite.
- Microsoft isn’t really pushing the solution since there is no financial upside (the product is already sold, just not deployed).
- Organizations are complacent and don’t have the time or desire to make a change.
What are some of the reason’s that an organization might want to try out SCEP?
- Save money! The license is already owned as part of Configuration Manager. Why continue to pay another provider until you’ve at least evaluated it for your particular use cases?
- Minimize infrastructure and administrative overhead. Configuration Manager already has the infrastructure for managing client configurations and moving software and updates to them as part of software distribution and patch management solutions. This is essentially the same managing endpoint policies and distributing malware signature files. Why maintain a duplicate infrastructure for third party endpoint clients and signature files and train administrators on multiple products?
- Unified security posture visibility. When you need to understand your complete desktop security posture, do you want to get one report from your endpoint solution and another form your patch management solution to and try to correlate the data to understand your actual security posture? Wouldn’t you rather have a single repository for all of the relevant data and be able to create a unified report? What about integrating endpoint protection policies with compliance management built in to Configuration Manager?
What are you waiting for? Start being SCEPtical. Turn on System Center Endpoint Protection!