Strike Up Another Reason For Using System Center Configuration Manager In Your Cloud

It is rare that Microsoft releases a bad update through Windows Updates, but one appeared this week, as Hans Vredevoort posted.  How do you avoid the problem of automatically pushing out “bad” updates straight after they are released?

Well, here’s the “solution” I often encounter when I talk to consultants and administrators:

We approve patches manually

Ah!  My response to this usually goes along the lines of:

  1. I grimace
  2. and respond with:

When you approve patches manually then you don’t patch at all!

One such company hadn’t deployed a Windows update since Windows XP SP2 – and I suspect that the media they used came with SP2 slipstreamed.  It was no doubt that Conficker ate them up.  And it’s no doubt that Conficker still is in the top 10 of malware in domain-joined (i.e. administrator controlled) PCs.  Meanwhile, PCs that are managed by users (workgroup members) are not seeing Conficker in the top 10.  By the way, Microsoft released a hotfix to prevent Conficker 1 month before the malware was first detected, and that was around the time of Windows 7’s GA launch.

The fact is that manual patch testing and approval do not happen.  There might be a process, but that doesn’t mean that it’s used.  I bet if you surveyed 1000 companies with this process then you’d find the majority of them don’t do it, and are probably woefully unprotected.  Queue the moronic comments that’ll try to excuse behaviour … I know they’re coming and they only show guilt.

What you need is automation.  But doesn’t automated patch approval mean that patches are approved and deployed immediately, bugs and all?  Not necessarily.

When I started working with ConfigMgr 2012, I read the guides by Irish (in Sweden) MVP, Niall Brady.  I liked his approach to dealing with updates:

  1. Check for new catalog updates every hour (my preference)
  2. Allow already approved updates to be superseded automatically
  3. Delay approval of updates by 7-14 days
  4. Set a deadline of 7 days

With this approach, updates are approved automatically, but they aren’t made available for 7-14 days.  And updates won’t be mandatory for another 7 days beyond that. That means updates don’t get forced onto machines for 14-21.

For server updates, I’d set a maintenance window on the collection(s) of servers, so that updates can only happen during those time windows (and not impact SLA).

With this approach, you get the best of both worlds:

  • You delay the updates, giving other people the “opportunity” to test the updates for you, and you deploy the 2nd release of “bad” updates (bad updates are superseded by new versions)
  • The process is automated, so your updates are pushed out without any human intervention.  You can always disable the automatic approval rule if the brown smelly stuff looks like it wants to hit the fan.

Remember, you can deploy updates from anywhere using ConfigMgr (see System Center Updates Pulisher).  And this is just one of many reasons why I like ConfigMgr in the cloud.

Technorati Tags: ,,

Windows 8, Windows Server 2012, Configuration Manager, Endpoint Protection, and Windows Intune

I’ve got 4 blog posts for you to read.

As I was commuting yesterday, Mary Jo Foley blogged about a Microsoft announcement on how System Center Service Pack (SP) 1 – Configuration Manager (SCCM/ConfigMgr) and Windows Intune will be changing in the near future.  Some highlights:

  • System Center 2012 SP1 Beta is out
  • A new version of Windows Intune with WP8 and Windows 8 support is coming in early 2013
  • You will be able to integrate ConfigMgr with Windows Intune for unified device management, both company and BYOD – or use ConfigMgr and Intune separately
  • Windows Intune will switch to per-user licensing from per-device. The new per-user license covers 5 devices.  ConfigMgr client ML owners will also get a discount.
  • Windows Intune will (at last!!!) be sold without Windows 7/8 Enterprise; currently anyone with SA on the desktop OS gets a 50% discount because they already own Windows 7 Enterprise

A follow up blog entry was posted by Microsoft, discussing the support changes in ConfigMgr and Endpoint Protection for Windows 8 and Windows Server 2012:

ConfigMgr 2012 SP1 will support:

  • Windows 8 Pro/Enterprise and Windows Server Std/DC as clients
  • All site roles on WS2012 Std/DC

ConfigMgr 2007 SP1 will support Windows 8 Pro/Enterprise and WS2012 Standard/Datacenter as clients only.

System Center 2012 SP1 Endpoint Protection (SCEP) will protect:

  • Windows 8 Pro/Enterprise and Windows Server Std/DC as clients
  • WS2012 Std/DC

You can also protect those OSs with Forefront Endpoint Protection 2012 with Update Rollup 1.  Note that this 2010 version won’t support WS2012 as a management server.

Make sure you read the following to get more info and to fill in the gaps:

  • The original announcement
  • The news post by Mary Jo Foley
  • The supplemental support post by Microsoft


Let’s not stop there.  You might want to learn about the cross-platform support that’s being added to ConfigMgr 2012 SP1

  • Mac OS will be added as a supported client: h/w discovery, software inventory, policy settings management, and software/patch distribution
  • Linux and UNIX will also be added: h/w discovery, software inventory, policy settings management, and software/patch distribution

SCEP 2012 will also support Mac OS – please don’t say that there is no malware on Mac OS because you’re living in a dreamland under a very dark rock if you think that’s the case.  If did not realise this but:

Endpoint Protection 2012 Client for Linux is also available now.

Virtual Machine Servicing Tool 2012 Beta

Microsoft has launched the beta for VMST 2012.  This tool is used in conjunction with System Center 2012 Virtual Machine Manager (VMM) to update offline virtual machine resources from ConfigMgr/WSUS.

VMST 2012 helps you more effectively—and safely—manage the workflow of updating you offline virtualization environment. Using VMST 2012, you can now service:

– Offline virtual machines in a SCVMM library.

– Stopped and saved state virtual machines on a host.

– Virtual machine templates.

– Offline virtual hard disks in a SCVMM library by injecting update packages.

Patching A Windows Server 2012 Failover Cluster, Including Hyper-V

Cluster Aware Updating (CAU) is a new feature that makes running Windows or Automatic Updates on a Hyper-V cluster easier than ever, as well as any other WS2012 cluster.

If you currently have a Windows Server 2008/R2 Hyper-V cluster, then you have a few options for patching it with no VM downtime:

  • Manually Live Migrate VM workloads (Maintenance Mode in VMM 2008 R2makes this easier), patch, and reboot each host in turn, which is a time consuming manual task.
  • Use System Center Opalis/Orchestrator to perform a runbook against each cluster node in turn that drains the cluster node of it’s roles (VMs), patches it and reboots it.
  • Use the patching feature of System Center 2012 Virtual Machine Manager – which is limited to Hyper-V clusters and adds more management to your patching process.

CAU is actually pretty simple:

  1. Have some patching mechanism configured: e.g. enable Automatic Updates on the cluster nodes (e.g. Hyper-V hosts), approve updates in WSUS/ConfigMgr/etc.  Make sure that you exempt your cluster nodes from automatic installation/rebooting in your patching policy; CAU will do this work.
  2. Log into Failover Clustering from a machine that is not a cluster node (Hyper-V host) member.  Run the CAU wizard.
  3. Here, you can either manually kick off a patching job for the cluster nodes or schedule it to run automatically.  The scheduled automatic option requires that you have deployed a CAU role on the cluster in question to orchestrate the patching.

When a patching job runs the following will happen:

  1. Determine the patches to install per node.
  2. Put node 1 in a paused state (maintenance mode).  This drains it of clustered roles – in other words your Hyper-V VMs will Live Migrate to the “best possible” hosts.  Failover Clustering uses amount of RAM to determine the best possible host.  VMM’s advantage is that it uses more information to perform Intelligent Placement.
  3. Node 1 is removed from a paused state, enabling it to host roles (VMs) once again.
  4. CAU will wait then patch and reboot Node 1.
  5. When Node 1 is safely back online, CAU will move onto Node 2 to repeat the operation.

VMs are Live Migrated throughout the cluster as the CAU job runs and each host is put into a paused state (automatically Live Migrating VMs off), patching, rebooting, and un-pausing.  It’s a nice simple operation.

The process is actually quite configurable, enabling you to definite variables for decisions, execute scripts at different points, and define a reboot timeout (for those monster hosts).

Something to think of is how long it will take to drain a host of VMs.  A 1 GbE Live Migration network will take an eternity to LM (or vMotion for that matter) 192 GB RAM of VMs, even with concurrent LMs (as we have in Windows Server 2012).

Sounds nice, eh?  How about you see it in action:




I have edited the video to clip out lots of waiting:

  • These were physical nodes (Hyper-V hosts) and a server’s POST takes forever
  • CAU is pretty careful, and seems to deliberately wait for a while when a server changes state before CAU continues with the task sequence.



Microsoft Deployment Toolkit (MDT) 2012 Download

Microsoft has released the new 2012 download for the free task sequence based imaging solution for deploying Windows (and it integrates into System Center 2012 Configuration Manager).

Deploy Windows 7, Office 2010 and 365, and Windows Server 2008 R2 with the newly released Microsoft Deployment Toolkit 2012. MDT is the recommended process and toolset for automating desktop and server deployment. MDT provides you with the following benefits:

  • Unified tools and processes, including a set of guidance, for deploying desktops and servers in a common deployment console.
  • Reduced deployment time and standardized desktop and server images, along with improved security and ongoing configuration management.

Some of the key changes in MDT 2012 are:

  • Comprehensive tools and guidance to efficiently manage large-scale deployments of Windows 7 and Microsoft Office 365.
  • An enhanced user-Driven Installation (UDI) deployment method that utilizes System Center Configuration Manager 2012. UDI lets end users initiate and customize an OS deployment on their PCs—via an easy-to-use wizard.
  • Ease Lite Touch installation through integration with Microsoft Diagnostics and Recovery Toolkit (DaRT).
  • This release provides support for deploying Windows 8 Consumer Preview in a lab environment.

Application Catalog Is The Killer Feature In System Center 2012 Configuration Manager

I deliberately picked the Application Catalog as the focal point of my demo/presentation at the System Center 2012 launch events in Dublin and Belfast because it shows how System Center 2012 recognises that IT services must change to empower the user and embrace IT controlled/secured/audited automation.

The Past

SMS 2003 was the first “System Center” product that I worked with.  We wanted something that was more powerful than Group Policy for software deployment.  The company I was working for also just signed a Microsoft enterprise agreement and we needed a software auditing solution to live up to our requirements.  So I asked one of my team, who previously did consulting on SMS 2.0, to deploy it, and I learned the product from him.

The software deployment feature was powerful.  We’d import or create a package containing the files.  Maybe we’d have to teak or create a program to install/uninstall the package.  We’d distribute the files to distribution points/secondary sites.  And then we’d advertise the required program to a collection of machines.  We never targeted users because they could roam and needlessly drag expensive software, such as Visio or Project, around with them, driving up our licensing costs.

It was easy to push out standard software like Adobe Reader.  It would go out to all Windows XP (as it was at the time) machines.  But Visio or Project?  We basically had to wait on a request.  A user would call the helpdesk asking for Visio and then a low priority ticket was created.  That ticket could wait until the higher priority tickets were dealt with.  Our Helpdesk had a 4 hour SLA so maybe 4 hours later (usually much less) they’d drop the user’s computer account into a security group for machines that should get Visio. 

And here’s why I told people that you need patience with Configuration Manager.  The process has gone unchanged … it’s just now we have a different way to tackle it.  In the past we had to push that software.  ConfigMgr/SMS would update collection memberships on a schedule, every 24 hours by default.  We had a “small” network (by Microsoft or ConfigMgr standards) so we scheduled the collection to update every hour.  Then it would query the new group membership and update its own membership. 

On the client machine, the ConfigMgr/SMS client would automatically connect to the Management Point every hour to get new policy.  At that point it would, thanks to the new Visio collection membership, realise it should install Visio.  It would then download the files and install.

Think about how long this took:

  • Helpdesk to respond – up to 4 hours (let’s go worst case scenario) – 4 hours
  • The collection to update – we’ll say 1 hour but it could have been 24 hours – 1 hour
  • The client to connect to the management point – up to 1 hour but we’ll say 1 hour

That’s a 6 hour wait for the end user to get a new application.  No wonder the business thinks that IT holds them back!  They can avail of cloud computing or a personal device (app on a tablet) in minutes, to deal with whatever business opportunity/challenge/threat is before them.  But with our push solution, IT takes 6 hours … and that could have easily been 29 hours!  That’s some “service”.

The Present

System Center 2012 is user centric.  That means the user is empowered to consume IT services in an on demand basis.  Those services are provided via System Center 2012, allowing IT to automate more, enable the user to consume as and when they need it, but IT can control, secure, and audit it.

Let’s take the Visio example.  I can create a Visio package with the automated installation.  I then create an application in System Center 2012 Configuration Manager.  I can two 2 types of deployment.  The first is a push, which is similar to what I discussed above.  That’s for when you’ want to push out software by policy.  And being a policy, the software will automatically get re-installed if it is uninstalled while the policy still applies.  There is a delay in the push, but we don’t mind.  That’s because we’re pushing out a policy to a large number of machines, and that’s probably something we do outside normal hours, and not to some “we want it now” demand.  Adobe Reader, Office, and so on are the sorts of app that you would deploy like this.

The second approach we can use is to publish the application in the Application Catalog.  Here you can list all elective software, the stuff you don’t include in your OS images or deploy on a widespread basis via policy.  Visio is a perfect example of this kind of app; it’s too expensive to deploy everywhere, and a few people will have a business case to require it.  When you create the application, you can add all sorts of text and keywords to describe the app and to make it searchable.

You can publish the URL to the Application Catalog to everyone’s browser via GPO.  And there’s a link to it in the new utility on the managed PC called Software Center.  Now a user wants Visio to open a VSD file.  The click the link to open the Application Catalog.  They can search, e.g. for .VSD file, and Visio appears in the results.  The click the Install button, and Visio installs … just like that.  It’s actually ConfigMgr doing the install, using the unattended config that you set up in the package.

Now Visio is expensive, so you don’t want everyone lashing it onto their PCs.  Not a problem!  With a mouse click, you configure the installation to require approval.  Instead of an Install button, the user is given a Request button.  They are asked to give a reason for the install and the request goes off into ConfigMgr where an administrator can review it and approve/reject it.  If it’s approved, the user will get an Install button.

The Future

We’d like that request process to be more auditable and to include non-IT staff, such as a faculty or department IT budget owner.  That’s where the Application Approval Workflow (AAW) comes in.  This combines the deployment functionality of Configuration Manager with the process and control functionality of System Center 2012 Service Manager.  Now the user can go into either the ConfigMgr Application Catalog or the portal of Service Manager, where they’d normally go to request IT services.  Requesting an approval-required application will create a service ticket in Service Manager and kick off an approval workflow. 

The engineering possibilities of workflow allow you to bring in alternative approvers based on your business or customer processes.  In other words, a budget owner can be notified of the request, read the business case, and reject/approve the install of the application.  And now IT just manages the system, instead of slowing down the business.  If there is slowness with this solution, the business can only look inwards to find a cause.

Configuration Manager 2012 Error, Past Due – Will Be Retired

I just had a bit of a head scratcher while building my ConfigMgr 2012 lab.  I had created an application to deploy Lync 2010 by policy to a collection of devices.  The “mandatory assignment” (this is old terminology for legacy packages/advertisements) was to install the Lync 2010 client as soon as possible.

I refreshed policy on my test machine and got this error in Software Center:

Past Due – Will Be Retired

Huh?!?!  I didn’t set an expiration on the deployment.  I could not figure this out.  The AppEnforce log in C:WindowsCCMLogs held the clue to this mysterious error:

Command Line: setup.exe /install /silent

The installer is called LyncSetup.exe, not Setup.exe.  I corrected the Deployment Type in my application for Lync 2010 and reran machine policy on the client machine.  The install now worked.  Then the real test: I manually uninstalled Lync, and ran the Application Deployment Evaluation Cycle on the client.  The reinstall (by policy) worked perfectly.

My Configuration Manager 2012 Demo Lab on Windows 8 (Client) Hyper-V

I am one of a number of guest presenters at the Microsoft Ireland System Center 2012 launch events in Dublin (this Thursday) and Belfast (next Tuesday).  Each of the 4 guests are presenting different aspects of System Center in the afternoon with 40-45 minute slots for each of us. 

I have a background in SMS/Configuration Manager (I was an MVP for 1 year before switching to Hyper-V) and the others tend to focus on VMM/OpsMgr/Service Manager/Orchestrator so I decided I’d go for the product that I happen to love most of the lot … the one that lets an IT megalomaniac have his/her way with a network.  OpsMgr might be the product that I would always put in 3rd in a new network (DCs first, Hyper-V second), but ConfigMgr would never be far behind because I can get so much information from it and use it to deploy and control the entire lifecycle of the PCs.  So that’s what I’ll be focusing on in my presentation.

The lab “looks” something like this:


The “beast” laptop is booting from Windows 8 (the client OS) Consumer Preview and Hyper-V is enabled.  I have my VMs stored on the SSD.  The laptop is connected to Wi-fi with DHCP enabled, making it mobile – perfect for demos.  I need to be able to demo OS deployment with my lab so I need DHCP that is insulated from the physical world.  Therefore my lab guests are running on an internal virtual switch rather than an external one.

I still need Internet access.  That’s why I have an external virtual switch.  It is configured to enable the parent (the Win 8 OS on the laptop) to share the Wi-fi connection.  I have set up a virtual proxy server to enable the isolated guests to have Internet access – the Configuration Manager Primary Site Server needs to download updates from Microsoft. 

I also need the parent partition to access the internal virtual switch (to copy files to machines and to RDP into VMs for the demo – RDP performs better than Virtual Connect) and to simultaneously access the Wi-Fi network.  DNS was an issue.  The solution?  I have configured the Internal local area connection on the parent partition with an IP config for the Internal network.  The browser is also configured to use the guest proxy.  Problem solved and I’ve accelerated browser performance.

I have to set the presentation in stone still.  I got the lab 95% to where I want it but the presentation will be demo-centric:

  1. Talk about ConfigMgr
  2. The new approach of ConfigMgr and new features, then switch to demo
  3. OS deployment
  4. Security (Endpoint Protection, patching and firewall policy)
  5. End user experience – solve a problem using the Application Catalog
  6. Admin experience – New console, s/w deployment, custom policy, auditing, reporting, dashboards, etc.

Considering the focus of Configuration Manager 2012 is controlled, secure, and audited empowerment of the end user then I want to show as much of that as possible.  That’s the goal anyway Smile

Managing the iPad In The Enterprise

All that kerfuffle last year about Microsoft being late to market appears to have been valid.  iPads are turning up in the business.  And I don’t mean the MD bringing one in, or one hear and another there.  I mean BIG numbers of them are turning up.  A well publicised example is SAP where they’ve deployed 12,000 iPads.  An interesting comment in the story is that the iPad is encouraging people to explore data and information, and probably empowering them to make better decisions.  A touch UI is more natural; maybe that’s part of it.  And tablets are small and light, meaning a person is more likely to bring it to and use it at coffee or lunch or home.

The interesting thing is that people aren’t talking about the entry of the iPad into this sort of market.  People Let’s face it; we’ve been expecting this. 

The conversation isn’t “Oh Microsoft are screwed and this is the death of the PC”.  We’re still early days in the “tablet at work” era, and if Microsoft don’t screw it up, Windows 8 with Office wave 15 could be a very powerful combination because of their possible integration with the normal PC and the LOB app.  I personally think 2013 will be an exciting time to be a .NET business applications architect.

But back on topic … what are people talking about?  Management.  How in the hell are businesses managing and securing these devices?  A recent survey said “Among 520 CIOs polled, 77% said they worry that further consumerization of IT will lead to greatly increased business risks”.

Right now, if you’re using iPad then you’re either trusting employees (I’m a techie meglomaniac with mixed a little [a lot] Roy from the IT Crowd so that doesn’t work for me) or they are using point solutions.

The point solutions will fall into one of two groups.  A Blackberry house, for example, will probably use a dedicated tool for controlling and configuring their RIM devices.  But along comes an iPhone or an iPad and they suddenly need another dedicated management system or something more generic. 

I think the best solution right now is to adopt a more generic mobile device management solution.  In a true consumerisation adoption, you have no idea what’s going to come in the door: Android, RIM, Apple, Microsoft, etc.  For the IT guys, the challenge is that each platform is completely different, so they’ll have to learn the strengths and weaknesses, develop a common denominator policy (PIN codes, remote wipe, etc), and then figure out how to secure each specific platform according to its unique needs.

But think about this.  That’s another management system for IT to deploy and look after.  What if you could have 1 integrated system that can manage PCs and mobile devices, configure and secure them.  We don’t have an RTM yet, but it’s coming: Configuration Manager 2012 from Microsoft System Center has mobile device management.  Information is still light on the ground on this feature, I guess all will be revealed when the products are launched.

Technorati Tags: ,

Books for System Center Configuration Manager 2012

I was bouncing about on Amazon and noticed some books for System Center Configuration Manager 2012.

I’ve done some writing for Sybex so Mastering System Center Configuration Manager 2012 (due in March 2012) is the first one I’ll mention.  The blurb:

The latest version of System Center Configuration Manager (SCCM) is a dramatic update of its predecessor Configuration Manager 2007, and this book offers intermediate-to-advanced coverage of how the new SCCM boasts a simplified hierarchy, role-based security, a new console, flexible application deployment, and mobile management. You’ll explore planning and installation, migrating from SCCM 2007, deploying software and operating systems, security, monitoring and troubleshooting, and automating and customizing SCCM 2012 with scripts.

  • Features an unparalleled team of authors, two of whom are insiders at Microsoft and have worked with SCCM since nearly its inception
  • Provides in-depth coverage and offers a hands-on approach to learning all there is to know about SCCM
  • Explores why SCCM 2012 is the most significant update in its 16-year history

Packed with real-world scenarios to show you how to use SCCM in various contexts, Mastering System Center Configuration Manager 2012 covers all aspects of this powerful and complete network software deployment tool.

I read the Unleashed book for ConfigMgr 2007 and thought it was good.  This is the successor, System Center Configuration Manager 2012 (due in April 2012).  This book’s blurb is:

This is the first and only comprehensive reference and technical guide to Microsoft System Center Configuration Manager 2012. A team of expert authors offers step-by-step coverage of related topics in every feature area, organized to help IT professionals rapidly optimize Configuration Manager 2012 for their requirements, and then deploy and use it successfully. The authors begin by introducing Configuration Manager 2012 and its goals, and explaining how it fits into the broader System Center product suite. Next, they fully address planning, design, and implementation. Finally, they systematically cover each of Configuration Manager 2012’s most important feature sets, addressing issues ranging from configuration management to software distribution. Readers will learn how to use Configuration Manager 2012’s user-centric capabilities to provide anytime/anywhere services and software, and to strengthen both control and compliance. The first book on Configuration Manager 2012, System Center Configuration Manager 2012 Unleashed joins Sams’ market-leading series of books on Microsoft’s System Center product suite: books that have achieved go-to status amongst IT implementers and administrators worldwide

Best of luck to the authors; they’re probably busy writing away right now with deadlines coming in all directions.

Hmm, I wonder what ISBN 9781118251478 might be …

Technorati Tags: ,