In the last few years SCCM has been introducing new features to the software update workflow to help with server update scenarios. Features such as Server Groups, maintenance windows, and Pre and Post deployment actions allow an unprecedented level of control over how and when servers are patched.
Top 10 Reasons to use SCCM for Server Updates
So what are some of the benefits of using SCCM to update servers compared to other tools like WSUS? Consider the following:
- Granular Deployment Control – Unlimited number of Collections based on Technology and Business requirements
- Automated Maintenance Windows – Patches will only deploy during scheduled maintenance windows
- Pre and Post Automation – Run Scripts before and after Updates (Example: Create a VM snapshot)
- Restart Management – Control over Server restart behaviour
- Automated Deployment Rules – Automate repetitive business logic based patching scenarios based on predetermined selection criteria such as platform, product, classification etc.
- Update Templates – Create scenario based templates to accelerate patching and minimize errors
- Rich reporting – Dozens of canned reports for updates management and status as well as the option for custom reports
- Bandwidth management and optimization – Use local repositories and peer caching to minimize the amount of network load and accelerate deployments. Schedule and throttle bandwidth usage based on time of day.
- Server Group Control – Logic based on number, percent and order of servers to be patched at any given time. Ideal for clusters and load balanced services.
- Query based targeting – richer targeting based on asset inventory data
That’s a lot of control and conceptually difficult to understand. I used to love the superflows in the old SMS documentation. I’ve created a miniflow of my own to help you understand how some of the new features can be used to take better control of the server update process.
I often get asked how I stay current with so many new technologies. To be honest I think I struggle to stay current but I do attend conferences and consume a lot of information from the internet. Since I primarily deal with Microsoft Technologies I spend a lot of time navigating their website. Sometimes it feels like trying to drink Tequila form a firehose with no lime. So let me provide you some lime – I’ve started creating lists of useful resources that I’ve come across and I will be posting them to this blog on occasion. The last time I did this was in my Christmas post last year “The Best Things in Life are Free” and it turned out to be my most popular post of the year. I hope you like this one as much. So without any further ado, here’s the list:
|Developer Tools Download
||Download any Visual Studio skus, including VS 2015|
|AzureCon On-Demand Videos||AzureCon ON-Demand videos on Channel 9|
|A New Era of Windows 10 Devices from Microsoft||Terry Myerson on new devices for Windows 10|
|AzureCon Keynote Announcements: India Regions, GPU Support, IoT Suite, Container Service, and Security Center||Scott Guthrie’s AzureCon Announcement|
|Five questions to ask when choosing an IoT provider for your business||Before you decide on a solution provider, ask yourself these questions:|
|Windows 10 development for absolute beginners||The absolute beginners’ series is back for Windows 10. It doesn’t matter if you’re a pro dev or just starting out, there’s valuable content for everyone.|
|Zero to Continuous Deployment of Dockerized App for Dev-Test in Azure||This video walks through a recent scenario in which we helped a customer optimize their IT processes with DevOps practices and bring their vision to life.|
|Platform As A Service, Ease of Use, Rich Features Make Microsoft Azure Awesome||Interview #3: Michele Leroux Bustamante is the Founder of California based Snapboard and a Microsoft Regional Director. In this video, she talks about the versatility of Microsoft Azure’s features, its cross platform capabilities across Android, iOS, and OpenSource platforms, and what makes Azure the ideal cloud backend.|
|Preparing your Enterprise for Windows 10 as a Service||What do you need to begin testing Windows 10 for your organization? Find out, in the fifth episode of the Enterprise Mobility Core Skills series|
|What’s new in Windows Server 2016 Preview||Check out this demo-packed look at Windows Server 2016 Preview, and see why it is the platform of choice for the integrated datacenter.|
You’ll have to get your salt somewhere else 🙂 Let me know what you think. Are these useful for you? Please feel free to suggest additional resources.
Update July 31, 2015 – A companion video to this blog post is now available on Channel9
I’m writing this post while downloading 10. No, not the Bo Derek movie from the 1979 that I wasn’t allowed to watch. Windows 10. Yeah that’s right – Although not generally available until July 29th, Build 10240 has been approved as the final RTM build and it is available to Windows insiders on both the fast and slow rings as of today. So while I can write about the availability of Windows 10 I can’t give you a first-hand review of it until a little bit later.
So while I wait for the bits to stream to me along with millions of other Windows Insiders let me share with you my Top Ten list of things that I’m excited about in Windows 10. It’s not really a TOP 10 list as I can’t really decide which of the dozens of things I’m most excited about. It’s really just a list of ten things that come to mind first while I wait for my download to complete. Without any further ado here is the list:
- The Start Menu is back and better than ever. It combines a program list a la Windows 7 on the left but also integrates live tiles on the right so that you can have the best of both worlds (See image at the bottom of the list
- Continuum – This will be more interesting as the Windows 10 for mobile gets closer to RTM. I’m really looking forward to using my phone as a PC by connecting a Bluetooth keyboard and wireless display through Miracast.
- Tablet Mode – Really part of Continuum but great for users with tablets or hybrids. It reorganizes the UIO based on whether there is a keyboard attached or not. You can be working desktop mode and detach the keyboard and automagically the start menu converts to the start screen, hamburger menus appear and the entire interface makes itself more touch friendly.
- The Edge Browser – Aka project Spartan – This browser is fast. Faster than Chrome and will support extensions. IE is still available but I’m going to be using Edge as my goto browser.
- Universal Apps – Again we’ll have to wait and see how this plays out long term. I’m excited at the prospect of a flurry of developers writing apps for the billion or so Windows devices.
- Cortana – I love Cortana on my phone and I’m excited about using it on my desktop. Cortana even helps me with the Surface Smiths Podcast
- Xbox Streaming – I hear you saying it sounds interesting but why would I ever want to stream my Xbox to my PC? Consider this scenario: You want to watch the big game or a special movie on the big screen with the surround sound and leather recliner but your kids want to play NHL2K15 and the Xbox is connected to the home theatre. Well, they can stream the game to a PC in another room and let you watch your game or movie in comfort.
- Windowed Modern/Metro Apps – That’s right they don’t HAVE to run full screen anymore unless you want them to. It makes multi-tasking much easier especially in a multi display environment.
- Virtual Desktops – This allows you to arrange apps or groups of Apps called, you guessed it, desktops how you like them and navigate between them. It’s like having multiple displays with apps organized to your liking just hidden until you need them.
I could go on but it looks like my bits are downloaded. I’m anxious to install Windows 10 RTM on my Surface Pro 3. Up until now I’ve only been using it in VMs on the Surface and on an older non-touch Dell laptop. Wait, you say. The list jumps from number 8 to number 10 – Well this is a Windows 10 post after all J
Let me know what you are most excited about in Windows 10 and if you’d like more information like this, please check out CanIT Pro where many more bloggers will be sharing their experiences with the best version of Windows to date. As part of the Windows 10 launch, Microsoft stores are holding special events, workshops and guest appearances . If you would like more information about these events, click here .
I recently had to rebuild my Windows 8.1 laptop. In fact, this is the first real piece of work that I am doing on it while I reinstall apps in the background. As part of the process I had to re-install Microsoft Office. As long as I have been using a 64bit OS as my standard desktop (Windows 7 was the first OS that I only ran as x64)) as I have always used the 64bit version of Office. When downloading the ISO for Office 2013 SP1 from the MS Partner site, I noticed that Microsoft has posted the following message:
Important: Microsoft strongly recommends the use of 32-bit (x86) versions of Office 2013, Project 2013, and Visio 2013 applications as the default option for all platforms. Learn more about the deployment considerations for x64 and x86 at TechNet.
I consider myself somewhat of a technically savvy user (maybe a poor assumption?) and I have always assumed that all things being equal 64bit is better than 32bit. Just like 32bit is better than 16bit (and 16bit is better than 8bit etc.)
So Off I went to TechNet to find out why this strong recommendation from Microsoft. Considering how hard it has been to get users and enterprises to give up Windows XP, you’d think that they want everyone to upgrade to the latest generation of tools right?
Here is the key reason for the strong recommendation directly from TechNet:
32-bit Office is recommended for most users
We recommend the 32-bit version of Office, because it is more compatible with most other applications, especially third-party add-ins. This is why the 32-bit version of Office 2013 is installed by default, even on 64-bit Windows operating systems. On these systems, the 32-bit Office client is supported as a Windows-32-on-Windows-64 (WOW64) installation. WOW64 is the x86 emulator that enables 32-bit Windows-based applications to run seamlessly on 64-bit Windows systems. This lets users continue to use existing Microsoft ActiveX Controls and COM add-ins with 32-bit Office.
So what about my assumption that all things being equal x64 is better than x86? Well, I wasn’t wrong but it turns out that all things aren’t equal. Third party vendors don’t pay equal attention to 32bit office and 64bit office. There are other good reasons to consider Office x86 such as:
- The 64-bit version of Microsoft Office isn’t compatible with any other 32-bit version of Office programs. So you must first uninstall all 32-bit versions of Office programs before you install the 64-bit version of Office.
- Any add-ins you want to run for Office must also be 64-bit editions.
- Third-party ActiveX controls and add-ins. None of these work with the 64-bit version of Office.
- There is no 64-bit version of Visual Basic 6, so many of these objects need to be ported and rewritten.
- Microsoft Visual Basic for Applications (VBA) won’t work unless you manually update the “Declare” statements.
- Compiled Access databases The .MDE and .ACCDE files, a common way for Access application developers to distribute solutions and protect their intellectually property, don’t work in the 64-bit version of Office. You must contact the application developer to recompile, retest, and redistribute the solution in the 64-bit version.
With all of the reasons not to use 64bit Office, why on earth would anyone chose to use it? It still makes sense for some users such as the following examples from TechNet:
- Excel expert users who work with complex Excel worksheets can benefit from using 64-bit Office 2013. This is because 64-bit Office doesn’t impose hard limits on file size. Instead, workbook size is limited only by available memory and system resources. On the other hand, 32-bit Office is limited to 2 gigabytes (GB) of virtual address space, shared by Excel, the workbook, and add-ins that run in the same process. (Worksheets smaller than 2 GB on disk might still contain enough data to occupy 2 GB or more of addressable memory.) You can learn more in Excel specifications and limits and Data Model specifications and limits.
- Users who use Project 2013 also benefit when they use Project files over 2 GB, especially when they are dealing with many subprojects to a large project.
- In-house Office solution developers should have access to the 64-bit Office 2013 for testing and updating these solutions.
- Office 2013 offers enhanced default security protections through Hardware Data Execution Prevention (DEP). (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. For 64-bit installs, DEP will always be enforced for Office applications. On 32-bit installs, you can configure DEP by using Group Policy settings.
If you need to deploy both versions of Office with Configuration Manager, you can use the same application with different deployment types as I’ve explained in my previous post Managing 32 bit and 64 bit versions of applications using Global Conditions, Requirement Rules and Deployment Types.
BTW – I’m running 32bit Office now.
<Rant> As an MVP I’m under and NDA that prohibits me from blogging about Microsoft products before they are released to the general public. While most Microsoft products are available to MSDN, TechNet and Volume License customers several weeks before the official General Availability (GA) date. While I generally have some foreknowledge of what is coming down the pipe and in some cases I have had discussions with the product group about a feature and have been involved in beta testing, I’m not allowed to blog about it until GA. That’s why there are dozens of blog posts about Windows 8.1 Update 1 already published. For instance, the bits have been available on MSDN since April 2nd, 2014. The GA date is April 8th, 2014 (the same day that Windows XP rides off into the sunset). So anybody with an MSDN subscription can download it and blog about it for about a week before I can. Not to mention all of the other sources for the bits that have had it available for a few weeks longer.
I’ve used the scheduling feature of WordPress to schedule the publishing of this post to just after midnight on April 8th so that I don’t violate my NDA.
While I’m in rant mode, let me just say that I hate the term Modern UI. At what point does it stop being modern? Will the next UI be call Postmodern? </Rant>
Now that I’ve had my rant, and explained why there are many other blog posts in the wild that have already dissected this update, I’ll try to add some value to those who have already enumerated the features by giving you my perspective on some of the additions.
How to get the Update?
What do you need to do to get the update? Windows 8.1 Update 1 is free for licensed users of Windows 8.1 (as Windows 8.1 was few for licensed users of Windows 8.) It is actually a series of 6 updates that should be applied in a specific order. One of the updates became available last month so you may already have it. If you have automatic updates turned on, you should get it automatically. As an administrator, you probably want to test it and inform users of the impending changes before releasing it into your production environment.
♫These are a few of my favourite things ♪
What do I like most in the update. The most immediately noticeable items for (those that I expect to increase my productivity and minimize frustration) are included below:
- Power to the People – Faster shutdown in Modern UI – No need to go to Charms, then Settings, then Power to shutdown, sleep, restart or hibernate. Of course mousers can Right Click the Start Button , select Shutdown or sign out to get the same options.
- Stop Searching for Search – The same goes for Search as for Power – It’s now in the top Right with the Power Icon and your username and avatar.
- Pin Modern UI Apps to the task bar.
- Show Running Modern UI Apps by hovering on the taskbar icon
Windows 7 Style Start Menu?
This update doesn’t provide a “vintage” Start Menu (Third party add-ons are available free and otherwise) however there are rumours – some of them fueled by MS Staff, like Terry Myerson at Build (Microsoft’s Developers Conference) last week. Since, as I previously explained, I cannot blog about these rumours, please check out one of the blogs below to get your fill of rumours.
BitLocker To Go is Microsoft’s removable media encryption solution. It uses the same underlying disk encryption technology as BitLocker (for fixed disks) but is designed to address the use cases around removable media. For example, sensitive data is copied to a USB key and lost. If the key is protected with BitLocker To Go, if the key is found, the data is unreadable on a device that hasn’t viewed the data previously without a PIN. This renders the data essentially useless except by an authorized user.
There are dozens of configuration options managed through policy objects that can be used to control BitLocker. There is plenty of information already on TechNet here.
I’m not going to get into the fine details of each individual policy. I’m going to provide a framework to help you decide what combination of configuration options will meet a particular use case. Most organizations need to understand how they want to implement BitLocker To Go. A good starting point is to by considering the following questions:
- Do you want to enforce the encryption of removable media or leave encryption to the user’s discretion?
- Do you want to prevent the reading of data from removable media not authored within the organization (E.g. read a key from a vendor, or a personal a user’s personal unencrypted key)
- Do you want to prevent writing to unencrypted removable media devices?
Most organizations will not want to leave the decision whether or not to encrypt removable media to the discretion of the end user. This involves a training burden and sound judgment by the end user. Ultimately there is no way to ensure or measure compliance.
Typically, an organization will want to ensure compliance. This involves creating a process to centrally encrypt USB keys and have a request/authorization process for users that need to right to keys.
- The scenario for USB keys is something like the following:
- Users can read from unencrypted USB keys (personal or from partners, vendors, etc.)
- Users are prevented from writing to unencrypted keys
- Users who need to write to a USB key go through the request and approval process.
- The Service Desk encrypts a key and delivers it along with the PIN and use instructions.
- Users are prompted for a PIN on first use of an encrypted key on a particular machine and can then write to the key
- If USB key is lost or stolen, it cannot be read except on a machine that has previously read the Key or by entering the PIN (or smartcard)
To implement the above scenario the following GPOs can be used as a starting point:
|Allow users to apply BitLocker protection on removable data drives||
|Allow users to suspend and decrypt BitLocker protection on removable data drives||
|Do not allow write access to devices configured in another organization||
|Do not install BitLocker To Go Reader on FAT formatted removable drives||
|Require password for removable data drive||
|Allow Data Recovery Agent||
|Omit recovery options from BitLocker setup wizard||
|Save BitLocker recovery information to AD DS for removable data drives||
|Do not enable BitLocker until recovery information is stored in AD DS for removable data drives||
|Require use of smart cards on removable data drives||