Microsoft has seen that all environments aren’t all black and white. Some have Linux/Unix based systems, some have Mac’s and some are just sitting on a terminal such as Wyse or Igel.
And then there are some that just use a tablet (iPad or Android based) Some are lucky enough to have a Windows 8 RT based tablet such as Microsoft Surface or Samsung ATIV.
What problems arise with all these devices and consumerization of IT ?
With all the different components in the mix, IT is having a hard time managing all this different devices. They usually have different systems to manage different devices.
Since they usually have one system that is good on Unix but doesn’t have features that work on Android or IPhones. With the surge of next generation workers people wish to bring their own device within the business.
(This Dilbert comic shows the frustration that IT-people have in many occasions)
Now Microsoft has been good at managing what they do best, Windows. They have done so since the first release of ConfigMgr in 1994 (Good old SMS) The biggest chance in ConfigMgr 2012 is that the system is now more User-Centric.
Meaning that the system is “aware” of users within the environment, previously it was aimed at just the device.
And with the upcoming release of Service Pack 1 there are multiple news that make the IT-admin work easier.
* Support for Linux/Unix based Systems
* Support for Mac OSX
* Support for Windows Embedded
* Support for Android and IPhones (5 & 6) (Using Windows Intune Connector)
* Support for Windows 8 Phones and Windows RT (Using Windows Intune Connector)
Now if you are missing some devices here, ConfigMgr also has support for devices that support Exchange ActiveSync, so therefore ConfigMgr can be the center of your IT-management infrastructure. It still remains to see what functionality comes with Intune connector to mobile devices. (And if it can compare with other MDM systems on the market.) the main problem with MDM is that people are concerned about their private data on their devices since IT in some forms can manage their devices.
You can read more about it here –> http://www.informationweek.in/mobile/12-12-05/3_factors_to_consider_for_framing_byod_policy.aspx?utm_medium=twitter&utm_source=twitterfeed
You can look at this video interview with Wally Mead which is head of development of ConfigMgr if you wish to know more about Intune and SP1
Since a lot are competition on this front, ConfigMgr might gain the edge because of it’s wast support for devices, low cost and integration with other system center products.
* System Center
* XenApp XenDesktop
* + Much moresyst
With all these possibilities ConfigMgr can become a central point for managing all of your devices.
First part of this series, I showed how you could run and install all the necessary prerequisites silent and automated, this time I will write a bit more instead of just adding the commands.
In Service Pack 1, Configuration Manager will finally include cmdlets for PowerShell this allows for a scripted and automated setup process. Therefore I took the liberty of creating this post which will show you how-to.
Now with this you can actually create a script for a new customer (If you already have knowledge of the customers infrastructure) with contains all the necessary you need to setup a fully site. Then where you are at the customer, run the script and take the rest of the day of.
Now what do we need in order to setup a fully Configuration Manager site?
We need a boundary group (Which contains a boundary, refer my earlier post –> ) Which again contains a distribution group and is assigned a site.
And we need to activate discovery objects to fetch information such as Users, Group, Computer objects.
We also need to setup AD publish (In case we did a manual ConfigMgr site agent install we wouldn’t have to setup this but for the administration ease we are going to do so)
Next we are going to Create Computer Collection which is going to include our test servers. We are also going to Create User Collection b
After that we are going to Create an application which we are going to deploy to our computer collection
All using PowerShell.
Now in order to start PowerShell against Configuration Manager, just click the file button inside the Console and press the Connect using PowerShell.
You can use the get-command –module ConfigurationManager to show all the commands available for Configuration Manager
You can also use the get-help cmdlets if you are unsure of the parameters that you need to use.
Also you can use the get-help cmdlets –examples if you want to show some examples.
NOTE: Will trying to get this fully automated, I find its hard with the current release of the PowerShell cmdlets but still I’ve gotten far. So this post will be updated periodically.
Create a new Boundary: New-Cmboundary -type ADsite -value “Default-First-Site-Name”
Create a new BoundaryGroup: New-CmboundaryGroup -name Test -DefaultSiteCode TST
Add boundary to group: Add-CMBoundaryToGroup -Boudaryid 16777218 -GroupName “Test”
I got this BoundaryID using Get-CMboundary since the command didn’t parse the value ID properly.
You can use the Get-Cmboundary and Get-CmBoundaryGroup to view the values. And you need to add the site code to the command so it assigns
that as the default site for the boundary group.
Get info from Active Directory Forest: New-CMactiveDirectoryForest -ForestFqdn demo.local -EnableDiscovery $true
Install Configuraiton Manager Agent: Install-CMClient -DeviceName ConfigMgr -includeDomainController $false -AlwaysInstallclient $false -SiteCode TST
Create a new device collection: New-CMdevicecollection -name “My Servers” -LimitingCollectionName “All Systems” -RefreshType Manual
Still more to come
To run the Setup Downloader from command promt
- /VERIFY: Use this option to verify the files in the download folder, which include language files. Review the ConfigMgrSetup.log file in the root of the C drive for a list of files that are outdated. No files are downloaded when you use this option.
- /VERIFYLANG: Use this option to verify the language files in the download folder. Review the ConfigMgrSetup.log file in the root of the C drive for a list of language files that are outdated.
- /LANG: Use this option to download only the language files to the download folder.
- /NOUI: Use this option to start Setup Downloader without displaying the user interface. When you use this option, you must specify the download path as part of the command-line.
Setup Downloader starts, verifies the files in the \\MyServer\MyShare\ConfigMgrUpdates folder, and downloads only the files that are missing or newer than the existing files.
To run the prerequisites downloader from command prompt
Open a command prompt and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64.
Type prereqchk.exe /LOCAL to open Prerequisite Checker and run all prerequisite checks on the server.
To install the ConfigMgr 2012 console unattended from command prompt.
consolesetup.exe /q TargetDir=”D:\Program Files\ConfigMgr” EnableSQM=0 DefaultSiteServerName=MyServer.Contoso.com
To install a ConfigMgr 2012 Primary Site
First of you need to create a setup.ini file where you need to define a lot of variables. For a Primary site these are the ones you need.
After you have created this file you need to start the setup with the following command. setup.exe /script scriptpathandname
Content of the setup.ini file
SMSInstallDir=<ConfigMgr install folder path>
SDKServer=<FQDN for SDKServer>
PrerequisitePath=<Prereqs folder path>
ManagementPoint=<FQDN MP server>
DistributionPoint=<FQDN DP server>
AdminConsole=1 (0 is you don’t want to install the console)
SQLServerName=<FQDN SQL server machine>
DatabaseName=<SQLServerName\InstanceName> (leave blank for the default instance)
Now last but not least, unattended install of SQL server 2012.
setup.exe /ACTION=install /QS /INSTANCENAME=”SCCM” /IACCEPTSQLSERVERLICENSETERMS=1
/FEATURES=SQLENGINE,SSMS /SQLSYSADMINACCOUNTS=”test\administrator” /SQLCOLLATION=”SQL_Latin1_General_CP1_CS_AS”
So next time I will start with PowerShell automation with ConfigMgr
Updated with ADK install since you need this for SP1
Install Windows ADK silent
Application Compatibility Toolkit (ACT) OptionId.ApplicationCompatibilityToolkit
Deployment Tools OptionId.DeploymentTools
Windows (Windows PE) optionId.WindowsPreinstallationEnvironment
User State Migration Tool OptionId.UserStateMigrationTool
adksetup /quiet /installpath <path> /features <featureID1><featureID2>
adksetup /quick/ installpath C:\programfiles\adk /features OptionId.ApplicationCompatibilityToolkit OptionId.DeploymentTools optionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool
I see a lot of searches towards the blog regarding boundaries and boundary groups so therefore I thought that I should post a bit more about how these settings work and how they affect your site.
A boundary is a network location in your infrastructure that contains one or more devices that you want to manage. A boundary can either be an IP subnet, Active Directory site, IPv6 or an IP address range and the hierarchy in ConfigMgr 2012 can include any combinations of these boundary types, and remember that to use a boundary you need to put it into a boundary group. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images.
When clients are connecting from the internet, they do not use boundary group information They either download from any distribution point of their site (when the distribution point is configured to allow clients connections from internet)
And when you have created a boundary group, you must configure the boundary group to specify an assigned site for clients to use during automatic site assignment.
And you can associate one or more distribution point with each boundary group. You can also add a single distribution point to multiple boundary groups. The default behavior is to choose the closest server from which to transfer the content from. And remember that ConfigMgr 2012 supports that a client is a member of multiple boundary groups for content location, but not for automatic site assignment.
What is important when planning your SCCM deployment ? Plan for High Availability! (among other things)
SCCM can span from a simple to a very complex solution And it can also be in a complex hierarchy as well. So it is important to know “where do I need to deploy multiple servers in order to have HA” in SCCM?
* ConfigMgr clients can use any of the available servers. If you have multiple Management Points the clients will try to contact one of them, if the one they try to contact is offline they will try the other one. If both servers are offline, the client will cache the data until a MP server is back up. Same goes for distribution points (If the content the client is looking for is located on that DP.
If a client fails to submit data, the site can generate an alert in the console.
* ConfigMgr Database use an SQL cluster for the primary site or at the CAS (IF you have one) Secondary sites does not support SQL clusters, to recover that you would need to reinstall the secondary site. You also do need to remember that you can setup a maintance task to take a backup of the ConfigMgr Site.
* ConfigMgr Sites you can use CAS(Central Administration site) with Primary child sites (This can provide you with fault tolerance if you have an deployment that requires a CAS) But DO not deploy a CAS server if you aren’t sure that you need it.
* ConfMgr Roles you can install multiple instances of roles such as (management points and distribution points) to provide redundancy for the clients. Remember that if you deploy multiple distribution points that if you want a client to failover to the other distribution points that the are within the boundary group.
* Active Directory if you are using AD publishing(and most are), remember that the client will query AD to find its MP and site, so remember that you will need multiple domain controllers (not only to load balance the queries but to provide HA) This goes for DNS as well, unless you are running another DNS server like bind.
* PKI ConfigMgr is very much reliant on certificates for securing traffic, remember that you should have 2 subordinate CA’s that can issue certificates.
Just some last notes, if you are using ConfigMgr you should have OpsMgr as well, use it to monitor your ConfigMgr, AD and ADCS solution!
There is a management pack available to monitor ConfigMgr within OpsMgr you can find it here –>
NOTE: There are some roles that aren’t meant for HA, this includes:
Endpoint Protection Point
Asset Intelligence synchronization point
Enrollment point & Enrollment point proxy
Fallback status point
Out of band service point
Microsoft just released the beta of service pack 1 for System Center 2012.
And for ConfigMgr that includes:
- Deployment and management of Windows 8 and Windows Server 2012
- Distribution point for Windows Azure to help reduce infrastructure costs
- Automation of administrative tasks through PowerShell support
- Management of Mac OS X clients and Linux and UNIX servers
- Real-time administrative actions for Endpoint Protection related tasks
Now you can download each update from Microsoft web site –>
Now remember before you install this that you need the Windows 8 ADK installed before you can upgrade.
You can read more about the ADK in my previous post –> http://msandbu.wordpress.com/2012/06/15/sccm-2012-ctp1-sp1/
Now after the installation is complete you can open the console.
What else is new here?
We can now integrate with Intune and we can host an Distribution Point in the Cloud via Azure
We also have something new for Windows RT
Windows RT Sideloading Keys which allows you to install windows 8 appx (outside of the store) which can be run on Windows RT.I belive this is much like the command.
For deployment types we have a whole bunch of new types.
So I’m waiting to see how we can deploy these apps to mobile phones.
We also have new client policy settings.
For Cloud and Metered Internet Connections.
This is useful if we wish for specific clients to connect to a DP in the cloud to fetch data,
and if we wish that clients try to connect over metered connections.
Windows Intune connection:
NOTE: I didn’t see any Linux/Unix agent on the media(the .install script), there was however an Mac OSX client.
For running PowerShell cmdlets on your ConfigMgr server you need to have Windows Management Framework 3 installed,
After installing the administrator console, you can connect to PowerShell by dropping down the arrow in the blue tab in the upper left corner. Click “Connect via Windows PowerShell”.
Now note that Each of your sites will be a drive. So, if you have site CAS and PRI, you can issue the CD command to change context between them: CD CAS: or CD PRI.
And we now have a bunch of PowerShell cmdlets.
For instance I can create a new device collection straight from PowerShell by running the command new-CMdevicecollection.
And we can also configure Folder Redirection policies under Compliance Settings.
Now by doing this, it will make it easier and more flexible to create different settings for each user.
This gives a glimpse of what we can expect from ConfigMgr later on, with the possibility to deploy applications to all types of devices (Mac OSX, Ipad/Ipod, Android, Linux/Unix, Windows 8, Windows RT) And you can connect it to XenApp, App-V for advanced deployment types. And you can also integrate it with the cloud for extended management.
A Couple of days ago, Microsoft released MDT 2012 Update 1.
This release included support for Windows 8 and Windows Server 2012.
Other features include:
ill do a coverage about MDT 2012 and Windows 8 deployment in a couple of days
Although Service Pack for System Center 2012 is still currently in Tech preview is has a lot of features that needs to be addresses.
Here is a list of new features in the latest CTP build 2 (Which was released 15/06/12)
- Virtual Machine Manager
- Improved Support for Network Virtualization
- Extend the VMM console with Add-ins
- Support for Windows Standards-Based Storage Management Service, thin provisioning of logical units and discovery of SAS storage
- Ability to convert VHD to VHDX, use VHDX as base Operating System image
- Configuration Manager
- Support for Windows 8
- Ability to deploy Windows 8 Apps
- Real-time administrative actions for Endpoint Protection related tasks
- Data Protection Manager
- Improved backup performance of Hyper-V over CSV 2.0
- Protection for Hyper-V over remote SMB share
- Protection for Windows Server 2012 de-duplicated volumes
- Uninterrupted protection for VM live migration
- App Controller
- Service Provider Foundation API to create and operate Virtual Machines
- Support for Azure VM; migrate VHDs from VMM to Windows Azure, manage from on-premise System Center
- Operations Manager
- Support for IIS 8
- Monitoring of WCF, MVC and .NET NT services
- Azure SDK support
- Support for Integration Packs, including 3rd party
- Manage VMM self-service User Roles
- Manage multiple VMM ‘stamps’ (scale units), aggregate results from multiple stamps
- Integration with App Controller to consume Hosted clouds
- Service Manager
- Apply price sheets to VMM clouds
- Create chargeback reports
- Pivot by cost center, VMM clouds, Pricesheets
- Server App-V
- Support for applications that create scheduled tasks during packaging
- Create virtual application packages from applications installed remotely on native server
Now even thou this is for the CTP2 build, ConfigMgr 2012 is still just in CTP1.
Information that was released during MMS, was that ConfigMgr would have extended manageability for Mac & Unix.
This will include:
* Hardware and software inventory
* Endpoint Protection
* Software distribution
This will simplify management for the IT-admin. A lot of users wish to use Mac OSX or Linux for specific reasons. Before it was hard to allow use of Linux/Unix or Mac OSX in the environment because, lack of manageability and the cost that would be needed to get the management tools you needed, and in many cases the Mac users doesn’t represent the majority of users and therefore was not a priority.
But with SP1 hopefully that will change, now you have the ability to administer Windows, Linux and Mac OSX computers from one console (Which includes a fully integrated antivirus solution)
These features for Mac & Linux are still not publicly available, so it remains to see if the functionality provided is good enough for an enterprise environment.
Quick post, after I did some changes using the SDK for ConfigMgr 2012 I had trouble starting the console, It would just crash and report an error message.
Faulting application name: Microsoft.ConfigurationManagement.exe, version: 5.0.7743.0, time stamp: 0x4fb6dc3d
Faulting module name: KERNELBASE.dll, version: 6.1.7601.17514, time stamp: 0x4ce7bafa
Exception code: 0xe0434352
Fault offset: 0x0000b727
Faulting process id: 0×1708
Faulting application start time: 0x01cd55eb018bd847
Faulting application path: C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 410539fd-c1de-11e1-ad00-080027082ac4
So instead on trying to debug tried to uninstall and reinstall it.
After I reinstalled the Admin Console from the Configmgr media I couldn’t connect. I got no error message what so ever, just that I couldn’t connect to that server. After inspecting the event viewer I saw that ConfigMgr was generating this error message.
Description = “Please upgrade your Admin Console to newer version”;
Operation = “ExecMethod”;
ParameterInfo = “SMS_Identification”;
ProviderName = “WinMgmt”;
StatusCode = 2147749889;
And now I though wtf?
And after consuming a coffee cup I remember that I had CTP1 installed, so reinstall the admin console from the CTP1 media not from the regular ConfigMgr 2012 and then it worked!
For large systems like ConfigMgr 2012 there are a lot settings needed in order to get it running. Sometimes you miss a setting or two, or you forget to properly set the right access for an account.
From a security point-of-view there is a lot that can go wrong.
ConfigMgr requires a lot of security rights on client computers, on active directory, and servers ( if you use it for servers ) And if someone manages to get full access to the console well.. then you’re screwed.
Even if you managed to lock down your environment as tight as uncle scrooge’s vault, that won’t mean a thing if you didn’t setup the site for encrypted traffic (of course there is a lot of hassle for someone to make some damage to your environment , but it can be done ) ConfigMgr 2012 leverages PKI for encryption, authentication and proof-of-identity between clients and site servers (Check my previous post on setting up PKI for SCCM 2012) But there are also some other options that we will go trough in this post which can heighten your security level in ConfigMgr.
In order to configure ConfigMgr for PKI, you have to change a site property, configure Site system settings for HTTPS only.
In order to deploy certificates to clients you can use the following deployment types.
* Use the /UsePKICert parameter with ccmsetup (This is most used for clients that connect from the internet) and remember you must also specify /:mp (With FQDN )
If a certificate is not found, it will fall back to http with a self-signed certificate.
* Deploying autoenrollement of certificates in AD. (Best for intranet clients)
* Using client push (Best for intranet clients)
NOTE: Because the location of the CRL is added to a certificate when it is issued by a CA, ensure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager will use.
NOTE: When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use for management points, you do not have to specify this root CA certificate. However, if you use multiple CA hierarchies and you are not sure whether they trust each other, import the root CA for the clients’ CA hierarchy.
If you are unable to use PKI. you can configure use of signing and encryption using 3DES and SHA-256.
In the Configuration Manager console, click Administration.
In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure.
On the Home tab, in the Properties group, click Properties, and then click the Signing and Encryption tab.
Configure the signing and encryption options that you want, and then click OK.
Remember to check that all your clients supports SHA-256, older computers with old version of XP or Server 2003 might have some issues with this.
Remember this options of signing, protect the data from tampering but it does not encrypt the data.
And the option of encryption, encrypts the inventory data and state messages that clients send to management points in the site. But remember the additional CPU usage that will be required on clients and the management point to perform the encryption and decryption.
If you manage to setup SCCM with PKI Good! but there are a lot of other factors that you need to check as well.
* Keep your systems up to date.
Patching, patching & patching. Always remember to have the latest security updates installed. We saw from a little while ago how short amount of time It took before an exploit was available for the security hole in RDP.
* Site-to-site server
Although Configuration Manager does secure communication between the site server and the computer that runs SQL Server, Configuration Manager does not secure communication between site system roles and SQL Server, therefore you should use IPsec to secure communications between these servers. If you do not setup secure communication here, they can be the victim of man-in-the-middle attacks.
* Site server to package source server
You should also use IPsec here if possible, if not use SMB signing to ensure that the files are not tampered with before clients download and run them.
Of course in order to view communication between servers a user would have to be on the same network as the servers are. But always remember to use custom VLAN and ACLs where possible.
* Use non-default port numbers
A lot of attackers go after well-known ports. For instance 1433 is a known SQL server port, and HTTP & HTTPS use 80 & 443. If you want to use custom port numbers, remember to use them consistently across all sites in the hierarchy.
* Isolate site system roles
By having a server for each role you reduce the attack surface against vulnerabilities on one site system can be used against a different site system. The fallback status point on the other hand should never be collated with other roles since this site system role accepts unauthenticated data from clients.
* Restrict user access.
Use RBAC, and delegate only permissions as needed.
* Job rotation
If someone has full admin access to ConfigMgr (of for that matter the CAS) remember to have a job rotation schedule, the biggest threat for a company is always a disgruntled employee that has full access from the inside.
* PowerShell execution policy set to Bypass.
This setting allows clients to run unsigned PowerShell scripts, which cloud allow for instance malware to run on client computers.
* Deploying applications to “All systems”
If you have a licensed application like an Adobe application distributed to all systems, would mean that if a rogue client installs an agent, get its client information from AD would get access to that application.
* Desktop Viewers option
Make sure that you create a custom policy for each computer group, so you don’t have a help desk user that can remote view every computer (and user for that matter) in your site.
* Client Push Account
Create your own service account for this user, and create a policy to deny the account the right to log on locally, since this account needs to be a member of the local admin group on each machine.
If someone gets access to this account, then that lucky guy would have access to every client in your site. Of course you don’t need to use the client push install, and just do it by group policy.
* Require a password to PXE boot
If you enable this option, this adds an extra level of security to your site. Since now you reduce the risk of a rouge computer joining your site.
Also remember not to include business applications that contain sensitive data in a task sequence, since we don’t want the rogue computer getting access to get data.
* Restrict whether users can install software interactively by using the Installation permissions client setting.
If you have this settings enabled for all users, and you have this setting enabled for servers. Users that have access to that server that install an application on a terminal server.
* Best practice from Microsoft.
Microsoft has a free tool available named Security Configuration Wizard (SCW) which allows you to create a security policy which you can apply to all your servers.
It also has a template available for ConfigMgr 2012 which you can download here –> http://www.microsoft.com/en-us/download/details.aspx?id=29265
These are just some pointers of what you have to think about when deploying ConfigMgr 2012. There are a lot of other factors as well, which depends on what features you think about deploying in your site.
I recommend you check the TechNet documentation Microsoft has regarding Security in ConfigMgr http://technet.microsoft.com/en-us/library/hh508779.aspx