System Center

Office365 for Fringe Use Case Scenarios

Posted on Updated on

Microsoft’s newest Billion Dollar business units include Office 365 and Azure. There’s lots of marketing, sales, and ROI information about Office365 and cloud services in general. So I’m not going to bore you with another post about how to save your organization money or accelerate value by adopting Office365. I’m going to describe two real world use cases that I have personally found Office365 to help with. I might even through in some anecdotal cost benefit analysis but my main purpose is to explore some less common uses for Office 365 that you may not have thought of.

The two scenarios are:

  1. External consultants
  2. Text and Development

External Consultants

I manage a team of consultants that regularly have to work at client sites. Often at some very security conscious organizations. We can’t always use our own laptops in their environment or if we can it is typically through guest wireless networks. We’ve encountered situations where the guest wireless prevents us from connecting back to our office through VPN. This makes it difficult to access some of our collaboration services like SharePoint. We have moved my team to Office365 specifically to do things like coauthoring documents in SharePoint from customer sites. This enables some interesting scenarios. We’ve had cases where an offsite consultant was able to review and update some documentation while it was being simultaneously authored by another consultant working in our lab.

Test and Development

We do a lot of System Center work. System Center is a complex suite of products that interact with each other as well as core Windows infrastructure like Active Directory and Exchange. When we are building out a proof of concept for a customer, they typically don’t want us to touch their production AD and Exchange environments. I don’t blame them. Ultimately in order to complete the project we would need to somehow build out an Active Directory and Exchange infrastructure dedicated to the proof of concept or pilot. Consider the additional costs in hardware, software, and time required to accomplish this. Lately we’ve started using Office365 to provide Exchange services. It takes minutes to provision and connect to. Examples we’ve used recently include the Exchange connector for Configuration Manager and Service Manager. Using this approach, in under and hour I was able to get more than a half dozen mobile devices loaded into Configuration Manager for a MDM/UDM proof of concept without touching any production AD or Exchange infrastructure simply by adding an additional email account the devices.

We’ve extended this to Azure as well. We have been using Azure to host System Center instances for proof of concept and sandbox deployments. I’m looking forward to combining Azure with Office365 to further accelerate our pilots and proofs of concept deployments.

Configuration Manager Distribution Points – Use case scenarios

Posted on Updated on

Configuration Manager is a constantly evolving and improving product. Distribution Points (DPs) in Configuration Manager have advanced quite a bit since SCCM 2007. Configuration Manager 2012 introduced bandwidth scheduling and throttling to the DP role. A feature previously limited to secondary sites. For many organizations, secondary sites are no longer required. The new Distribution Point functionality is sufficient to replace many secondary site use cases.

TechNet does a fantastic job of educating IT Pros on what the new features are and how to configure them. What I’m going to attempt to do in this post is help identify the some use case scenarios where they make sense.

Let’s start with a high level review of the different types of Distribution Points (DPs).

Distribution Point Concepts

Distribution Points (DPs) provide content (applications, software updates, etc.) to clients. Boundary groups (groups of boundaries containing AD site info or IP subnet, IP range, IPv6 prefix) are assigned to DPs to help clients locate preferred DPs. A DP can optionally be configured as a fallback content point so that clients that cannot retrieve content from a preferred content point can access it from the fallback location. For a client to successfully retrieve content, it must be in a boundary associated with a boundary group on a preferred or fallback DP.

Standard Distribution Point

A standard Distribution Point is used to serve content to clients. There is a limit of 250 DPs per site (and secondary site).

Use Case:

Pull Distribution Point

A Pull DP is very similar to a Standard DP except that is gets its content from another DP (known as a source DP). This minimizes the load on the site server since the Pull DP manages its own content transfer in much the same way that a Configuration Manager client would. There is limit of 2000 Pull DPs per site (and secondary site)

PXE & Multicast Distribution Points

DPs can be configured to respond to PXE requests and send multicast streams as part of OSD scenarios. In order to support these features, WDS must be installed ad enabled on the distribution points. Both Standard DPs and Pull DPs support PXE and Multicast.

Cloud Distribution Point

A Cloud DP is an Azure hosted distribution point that can be rapidly scaled up or down to meet changing requirements.
IT has many of the advantages of other cloud based IaaS offerings. Cloud DPs do not support OSD or SUS since they do not support PXE or software update packages. There are other limitations as well. For more information on Cloud DPs check TechNet.

Use Case Scenarios

DP Type Sample Use Case
Standard DP Standard DPs make sense anywhere that there are large numbers of clients to serve. Although there is no clear line in the sand, it’s fairly easy to make the case for a DP at a location with more than 50 clients.
Pull DP Augment the number of DPs beyond 250 per site (up to 2250) and or minimize the content distribution load on the site server(s).
PXE & Multicast DP Support for OSD. Example Migration from Windows XP to Windows 7 , 8, 8.1, etc.
Cloud DP Support for elastic operations such as a temporarily large distribution to clients. Example, rollout of a new CRM tool.

Depending on the complexity of your environment you may need to mix and match DPs to meet your specific requirements. Of course, all of these scenarios can be made more efficient by incorporating BranchCache support on clients. For more information on how to use BranchCache to optimize software distribution while minimizing infrastructure components see my post on CanITPro.

What’s New in System Center 2012 Configuration Manager R2?

Posted on Updated on

While Windows 8.1 and Windows Server 2012 R2 was released earlier this month, when nobody was looking, System Center 2012 Configuration Manager R2 came out. Did anybody notice? Aside from support for Windows 8.1 and Windows Server 2012 R2, there are a quite a few new features. I understand that many organizations typically wait before deploying new versions of products but what’s in store for those who are ready to install if only for evaluation purposes? Here are the features that I’m most interested in exploring:

Profiles. Profiles, Profiles

A raft of new profile types can be managed including Remote Connection profiles, VPN profiles, Wi-Fi profiles, and Certificate profiles. This can really simplify the management of some complex settings across devices.

Client reassignment

Reassign clients to another site in the hierarchy. This will primarily be useful for large organizations with a CAS.

Mobile Devices

Many new features and enhancements including user self-enrollment for Android and iOS using the company portal app. Another neat new feature that I’m excited about is support for personal and corporate owned devices. This feature will be useful in lifecycle management and BYOD scenarios where a selective wipe makes more sense when a device is lost. There are also some new compliance settings specifically targeted at mobile devices.

Software Distribution and Application Management

There’s a new Deployment Type for web based applications. This is really just a way to manage links to web based applications but it does help to simplify and centralize all software deployments. There are also some new features that are intended to help manage scenarios that include Windows Store Apps and the company portal.

Software Updates

There are some enhancements to ADRs as well as a new type of maintenance window specifically for Software Updates. I can see this being very useful for organizations that need to manage software updates on a different schedule that normal application deployments.


There are fifty new PowerShell commandlets – My colleague Sean will be excited about this.

Check out fellow MVP Kent Agerlund’s TechEd New Zealand’s presentation for some demos of some of the changes. For a full list of the changes and additions in Configuration Manager 2012 R2 check TechNet

You want me to pay twice? Why aren’t more organizations SCEPtical?

Posted on Updated on

I’m not a licensing expert and I don’t play one on TV but it occurs to me that many organizations are paying twice for their endpoint protection solutions. I have been involved in over two dozen System Center 2012 Configuration Manager deployments and only one of the organizations was even mildly interested in System Center Endpoint Protection. My understanding is that the System Center Endpoint Protection (SCEP) CAL is included in the System Center 2012 Configuration Manager CAL. So at least from a licensing perspective if you already have Configuration Manager, you have SCEP. So why are organizations paying Symantec, McAfee, Trend, or some other endpoint protection vendor in addition to Microsoft? I understand that SCEP may not fit the bill for some organizations and that they may have specific requirements that need to be addressed by their chosen solution but doesn’t it make sense to at least evaluate the SCEP option – especially if you have already paid for it? What are some of the possible reasons that SCEP is flying under the radar of most organizations?

  1. Microsoft isn’t in the Gartner Magic Quadrant, they are in the Challenger’s quadrant.
  2. There have been very few independent reviews of SCEP apart from one pseudo review since it really isn’t a stand-alone product but part of a suite.
  3. Microsoft isn’t really pushing the solution since there is no financial upside (the product is already sold, just not deployed).
  4. Organizations are complacent and don’t have the time or desire to make a change.

What are some of the reason’s that an organization might want to try out SCEP?

  1. Save money! The license is already owned as part of Configuration Manager. Why continue to pay another provider until you’ve at least evaluated it for your particular use cases?
  2. Minimize infrastructure and administrative overhead. Configuration Manager already has the infrastructure for managing client configurations and moving software and updates to them as part of software distribution and patch management solutions. This is essentially the same managing endpoint policies and distributing malware signature files. Why maintain a duplicate infrastructure for third party endpoint clients and signature files and train administrators on multiple products?
  3. Unified security posture visibility. When you need to understand your complete desktop security posture, do you want to get one report from your endpoint solution and another form your patch management solution to and try to correlate the data to understand your actual security posture? Wouldn’t you rather have a single repository for all of the relevant data and be able to create a unified report? What about integrating endpoint protection policies with compliance management built in to Configuration Manager?

What are you waiting for? Start being SCEPtical. Turn on System Center Endpoint Protection!

Hyper-V vs. vSphere…and the Winner Is Service Manager?

Posted on Updated on

I often get asked why I like Hyper-V or why I don’t like VMware. The answer, strangely, isn’t about technology. Anybody that knows me well, knows that I’m not a technology bigot. Meaning I don’t get fanatical about particular companies or pieces of technology. In my house we have six tablets. A Surface RT, a Surface Pro (soon to be replaced by a Pro 2), 3 Android tablets, and an iPad. They all get used on a regular basis. There is no favourite.  Just a preference for one device over the other based on the particular use case in question and the strengths of each device at addressing that use case. I’ve used VMware products for years and I like them. They have met many of the requirements I’ve had for a long time.

So how does this relate to Microsoft vs. VMware? Well, I see a lot of fanaticism over VMware. A large percentage IT Pros really love it and many are fanatical about it. They are quick to criticize alternatives (like Hyper-V) without having all of the facts. Another issue is that most people see the results of past consumption and mistake it for current market trends. Let me explain that with an example. Currently Android phones outsell iPhones however, most people see more iPhone sin use that Android phones because iPhones have been around longer have had past sales success. What is being seen is phones that were purchased over the last several years still in use.

Enough digressions. Back to Microsoft and VMware. Historically, VMware has had the edge over Microsoft in the hypervisor market. With Hyper-V 3, most experts would agree that the gap has narrowed enough that for most organizations, the differences are insignificant from a pure technical capabilities perspective. It’s like choosing between a Honda and a Toyota. Both vendors have offerings in every major segment. Most consumers would be equally well served by a Camry or an Accord but preferences still abound. In the virtualization world, there are many other factors to consider such as migration costs, retraining, new licensing, etc. VMware has had very strong technical offerings for a long time and the investments made by many organizations can’t easily be shifted. Of course, historically, there are many examples of a technically superior product being eclipsed (BetaMax vs. VHS, Amiga vs. PC, FLAC vs. MP3). It also isn’t about first or early movers in a market. Consider Blackberry losing 33% market share in 2012 while Android now has nearly 80% market share in the smartphone market. Of course, depending on when you read this the current market share may be very different.

So back to my previous statement “It isn’t about technology”. I’ve shown examples of a superior product losing out as well as examples of an early mover with a dominant market position being eclipsed by a relative newcomer. If not technology, what’s it about then?

Well, I’m an IT Pro. Any IT Pro worth his salt will tell you that the three key elements of a successful IT rollout of any system are People, Process, and Technology. Not necessarily in that order, but all three ingredients are required for success.

As I’ve mentioned previously, VMware has great technology and Microsoft is no slouch either. We can remove people from the equation since both Microsoft and VMware have access to the pretty much the same talent pool and really, the people that matter most aren’t the vendor’s staff but the enterprise customers’ datacenter staff. So a talented VMware administrator could easily be a talented Microsoft administrator. Using the same logic, you might conclude that the processes that are used in enterprise datacenters would also be a wash between VMware and Microsoft implementations and for the most part you’d be right. However I believe Microsoft has an edge. Here’s why:

Microsoft has a long history of supporting cloud/online services that process billions of transactions a year. Consider Hotmail/, XBOX Live, Office 365, Azure, as a few examples with revenue Microsoft has had to develop some fairly robust processes for managing their datacenters. This isn’t new for Microsoft. Consider the ITIL based Microsoft Operations Framework (MOF) currently at version 4.0 has been around since 2000. VMware doesn’t have an online services history to learn the hard lessons of datacenter management or the history of helping customers manage their datacenters from a process perspective. Microsoft has taken the battlefield tested processes they’ve used for over a decade and incorporated many of them into one of the newer and lesser known products in the System Center suite, Service Manager.

Service Manager helps organizations align business processes with technology delivery to create efficiencies in service delivery. The product is tightly integrated with the rest of the system Center suite (especially products like Operations Manager, and Configuration Manager) as well as Active Directory.  The rich CMDB provided by Service Manager helps to manage the inevitable VM sprawl that accompanies virtualization.  It is also  a great platform to bolt on a  SAM/ITAM solution like the one from Provance (Full disclosure:  Provance is headquartered a few kilometres from my homeand I know many of their staff professionally – We’ve worked on joint projects and I’ve had more than a few drinks with them over the years.).

Until VMware has a similar offering, organizations that want to enable IT Service Management (ITSM) best practices, will find it much easier with a Microsoft private cloud solution than with a VMware solution.

BTW – Market share numbers for last year shows an interesting trend in the hypervisor adoption rates:


Source – Wall street Journal / IDC

Are we in the midst of a Blackberry like decline for VMware?

Microsoft’s MDM Toolset

Posted on Updated on

I get a lot of questions about Microsoft’s mobile device management (MDM) strategy. It can be confusing because to achieve the full spectrum of management functionality, multiple Microsoft products are required:

  1. Exchange ActiveSync (EAS)
  2. System Center 2012 Configuration Manager
  3. Windows Intune

Can you do some MDM with only EAS? Of course. Can you do MDM with only Intune? Absolutely. So how do you explain this multi-product approach to MDM? Although not strictly true, the way I like to look at it is as a series of layers, with each layer adding additional functionality, and Configuration Manager bringing it all together.

Exchange ActiveSync (EAS) Configuration Manager Intune
  • Configuration Manager, through the Exchange connector, exposes the policy objects in the Configuration Manager console to create collection specific policies.
  • Configuration Manager provides additional value in the form of asset inventory of devices connecting through EAS as well as reporting and compliance management of EAS policies on the devices.
  • Configuration Manager provides the single pane of glass for managing EAS and Intune enrolled devices.
  • Intune provides the bridge to the vendor specific application stores “App Stores” (E.g. iTunes, Google Play, Windows Phone Store, etc.)
  • Additional policies and enforcement
  • Intune provides application management and hardware lifecycle management (enroll, manage, retire).
  • Intune provides interesting options like selective wipe and application delivery.

Microsoft calls this approach Unified Device Management (UDM) since it goes beyond simply managing mobile devices.  Using the MS approach all devices including servers, desktops, laptops, tablets, and mobile phones can be managed with the same tool set.  Some might consider this too confusing and prefer a point solution with less moving parts, however, consider the following:

  1. Many organizations already have Configuration Manager in place
  2. Many organizations already have Exchange or hosted Exchange in place
  3. Using an incremental approach allows you to start small using the pieces you already have without purchasing new software and tailor the solution to your specific needs while controlling costs

Start with Exchange and Configuration Manager and add InTune when and where it makes sense.