Deploying Microsoft System Center Configuration Manager E-Book

BIRMINGHAM - MUMBAI

Deploying Microsoft System Center Configuration Manager

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: September 2017

Production reference: 1130917

ISBN 978-1-78588-101-5

www.packtpub.com

Credits

Authors

Jacek Doktor

Pawel Jarosz

Copy Editors

Stuti Srivastava

Madhusudan Uchil

Reviewers

Rafael Delgado

Rafal Kubiciel

Ronni Pedersen

Project Coordinator

Virginia Dias

Commissioning Editor

Kartikey Pandey

Proofreader

Safis Editing

Acquisition Editor

Heramb Bhavsar

Indexer

Aishwarya Gangawane

Content Development Editor

Sweeny Dias

Graphics

Kirk D'Penha

Technical Editor

Khushbu Sutar

Production Coordinator

Aparna Bhagat

About the Authors

Jacek Doktor is a Microsoft Certified Trainer. From 2008 to 2015, he held the Most Valuable Professional title in Enterprise Client Management granted by Microsoft. Apart from leading training sessions on System Center/Active Directory, he also performs IT system implementations and provides support to clients. His main scope of operation is Configuration Manager and all related technologies. He works for large Polish companies, and participates in projects led by Microsoft Poland. Apart from System Center, Jacek has enormous experience in Windows 10 deployment, migrations to Windows 10, and ConfigMgr report data usage.

Pawel Jarosz is an IT engineer with experience in various IT fields and platforms, including Microsoft Exchange and ConfigMgr. He is a Microsoft Exchange expert with experience in designing and maintaining hybrid infrastructures. Pawel is a cofounder of the Polish PowerShell User Group, and is passionate about automation, building monitoring solutions, and system integration. He runs the paweljarosz blog on Wordpress, where with a good dose of humor he shares his daily IT experiences. Pawel believes that the most stunning projects comes not from the brain, but directly from the heart.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com, and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review.

If you'd like to join our team of regular reviewers, you can email us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Design Planning

System Center Configuration Manager

When planning an upgrade

ConfigMgr hierarchy planning

Possible on-premise scenarios

Primary site

Primary site with secondary site

Central administration site with primary sites and secondary sites

Important servers roles

Management point server role

Distribution point server role

MS SQL Server role in ConfigMgr environment

Sizing and scaling of ConfigMgr

Site types

Central administration site

Primary site

Secondary site

Supported number of clients

ConfigMgr in Azure

ConfigMgr as a VM in Azure

Cloud-based distribution points

Planning for high availability with ConfigMgr

Reporting

Summary

Installing Configuration Manager

Configuration Manager installation process

System Center Configuration Manager 1706 requirements

Prerequisites for System Center Configuration Manager 1706

Environmental components

Granting permissions to the System container

Extending the Active Directory schema

Installing operating system components

Installing MS SQL Server

Installing Windows Assessment and Deployment Kit

ConfigMgr server installation

Checkouts after installation

Summary

Configure Sites and Boundaries

ConfigMgr server role types

Default roles

Optional roles

Roles installed during server deployment

Site server

Site system

Site database server

Service connection point

Distribution point

Management point

Methods of installing server roles

Create site system server

Add site system role

Fundamental optional server roles

Fallback status point

Reporting service point

Application Catalog

ConfigMgr server settings

Hierarchy site settings

Primary site settings

Discovery Methods

Active Directory Discovery Methods

Active Directory Forest Discovery

Active Directory User Discovery

Active Directory System Discovery

Active Directory Group Discovery

Heartbeat Discovery

Boundary and boundary groups

Configuring boundaries

Manually created boundaries

Automatically created boundaries

Configuring boundary groups

Default boundary group

Manual creation of boundary groups

Summary

Configuration Manager Agent Installation

Operating systems requirements

ConfigMgr client installation

Installation methods

Client push

Installing from the console

Manual installation on the operating system

Other installation methods

ConfigMgr client installation checkout

Troubleshooting client connectivity

Summary

Creating Client Settings for Servers and Workstations

Client settings

Default Client Settings

Creating custom settings for a device

Creating custom settings for a user

Assigning to a collection

Checkout of client settings

Collection settings

Summary

Compliance Settings

Compliance feature

Compliance Settings

Compliance Configuration Items

Compliance Configuration Baselines

Configuration Pack

Common tasks for managing compliance

Client setting for compliance

Deploying the compliance baseline

Viewing compliance results

Client reporting

Console reporting

Creating collections based on the compliance result

Managing resource and data access

Remote Connection Profiles

Company Resource Access

User Data and Profiles configuration

Summary

Software Distributions

Applications versus packages

Software distribution server roles

Application management features

Creating applications

Automatic application creation

Manual application creation

Global condition

Configuring application features

Supersedence

Application Catalog

References

Revision history

Deployment Types

Detection Method

Dependencies

Requirements

Application deployment

Simulating a deployment

Available deployments

Required deployments

Triggering an installation

Reporting

Invoking scripts on devices

Summary

Software Update Management

Software update features

Initial requirements

Server requirements

Client requirements

Client settings

Preparing ConfigMgr site for software updates

Installing WSUS

Software update point

The process of updates deployment

The process of synchronizing data with the WSUS server

The process of scanning for compliance

Scanning statuses

Updates deployment process

Integrating ConfigMgr server with Windows Update for Business and Windows 10

Supporting non-Microsoft Updates

Maintenance setting on collection

Update search

Server group

Deploying software updates

Deployment preparation

Manual update deployment

Windows 10 as a service

Office 365 Client Management

Monitoring software deployment

Software Update Reports

Software Update Dashboard

Summary

Endpoint Protection

Understanding Endpoint Protection

Endpoint Protection point

Client Settings for Endpoint Protection

Configuring a software update point for Endpoint Protection

Antimalware policies

Firewall policies

Windows Defender Advanced Threat Protection

Monitoring Endpoint Protection status

Endpoint Protection state

Endpoint Protection alerts

Summary

Operating System Deployment

Operating system deployment

Operating system deployment terminology

Windows Assessment and Deployment Kit

Windows PE

Operating system image

Deployment Image Servicing and Management

Windows System Image Manager

Windows image file format

System Preparation Tool

Windows Deployment Service

Microsoft Deployment Toolkit 2012

User State Migration Tool

Packages during operating system deployment

Unified Extensible Firmware Interface

Operating system deployment scenarios

Bare-metal installation

Operating system refresh

In-place upgrade

Side-by-side migration

Task sequences

Task sequence creation

Drivers

Installation of imported drivers

Driver installation using packages

Deployment types

Windows 10 servicing

Servicing plan

Windows Update for Business policies

Upgrade Readiness

Summary

Configuration Manager Assets

Data collection

Queries

Reports

Hardware inventory

Software inventory

Asset Intelligence

Collection queries

Console queries

Console reports

Summary

Role-Based Administration and Security

Introducing role-based administration and security

Hardening the infrastructure

Access to the console

Security scopes

Security roles

Granting permissions to the ConfigMgr console

Service accounts

Remote Tools

Client Settings

Securing remote control

Summary

Site Server Maintenance Tasks

Maintenance tasks

ConfigMgr backup

ConfigMgr server recovery

Other ConfigMgr server maintenance tasks

Environment monitoring

Summary

Preface

This book might differ from other publications related to System Center Configuration Manager. It is not strictly for administrators and operators as we do not go very deep into the details of the configuration and administration of individual system components. In this book we put the emphasis on understanding what circumstances ConfigMgr can be used in, what kinds of function it may play in the environment, and what goals can be achieved. ConfigMgr is not only a system used to deploy operating systems, updates, and other software, but it is also a system of much wider scope and usage--and this is what we intended to cover.

What this book covers

Chapter 1, Design Planning, covers basic topics regarding designing and deploying a single ConfigMgr server as well as environments with more than one server. You'll learn what important factors should be taken into consideration while deploying a ConfigMgr server and its roles.

Chapter 2, Installing Configuration Manager, presents the process of preparing the environment for a ConfigMgr server as well as the installation itself.

Chapter 3, Configure Sites and Boundaries, covers topics related to boundaries and boundary groups as well as the configuration of roles typically used in deployments.

Chapter 4, Configuration Manager Agent Installation, presents the ConfigMgr client installation process, available installation methods, and information about checkouts if installation goes successfully.

Chapter 5, Creating Client Settings for Servers and Workstations, covers creating your own custom settings for ConfigMgr clients.

Chapter 6, Compliance Settings, discusses how ConfigMgr can be used to verify computers' compliance with company standards.

Chapter 7, Software Distributions, covers topics related to software deployment.

Chapter 8, Software Update Management, presents the process of scanning, the installation of updates, and the management of this process.

Chapter 9, Endpoint Protection, contains topics related to the deployment and management of Endpoint Protection in order to better secure the environment against malware.

Chapter 10, Operating System Deployment, covers basic concepts for operating system deployment.

Chapter 11, Configuration Manager Assets, presents the process of collecting data from clients, and many possible ways of using this data.

Chapter 12, Role-Based Administration and Security, discusses the configuration of access to the ConfigMgr console.

Chapter 13, Site Server Maintenance Tasks, covers the topic of protecting the ConfigMgr server against failure and administrative tasks related to daily monitoring.

What you need for this book

In order to practice the scenarios from this book, you need the following software:

Operating system:

Windows Server 2012 R2

Windows Server 

2016

Software:

SQL Server 2016 Standard edition

System Center Configuration Manager 2701

Windows ADK 10 1607 version

Active Directory

Who this book is for

If you are a systems engineer and administrator planning to deploy Microsoft System Center 2016 Configuration Manager, then this book is for you. This book will also benefit system administrators who are responsible for designing and deploying one or more System Center 2016 Configuration Manager sites in their new or existing systems. It is also a book for those who would like to know about the ConfigMgr possibilities and what benefits it can bring to the organization.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning. Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "New items can be created under Asset and Compliance\Compliance Settings\Configuration Items on the ConfigMgr console."

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "The Remediate noncompliant rules when supported and Allow remediation outside the maintenance window options enable the repair of configuration drift by the server."

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply email [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/DeployingMicrosoftSystemCenterConfigurationManager_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title. To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the internet, please provide us with the location address or website name immediately so that we can pursue a remedy. Please contact us at [email protected] with a link to the suspected pirated material. We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

Design Planning

Delivering services for an enterprise data center is a focal point of all System Center family applications. The main idea is to ease maintaining the systems in each stage of the life cycle.

To gain as much as possible from each solution, it is crucial to understand that there is no such thing as one supported or preferred configuration. Having a solution properly planned and well tailored to your needs will bring much more value than a generic installation without proper planning and designing, which may later bounce with an infrastructure hiccup.

This is the same as with a house, where a foundation is the most crucial part. When badly planned or, for instance, if a construction project doesn't have enough details and, as a result the house is not diligently enough isolated, the repercussions might be really serious. Sometimes, you even need to cut the house from the foundations in order to repair what has been done wrong during the construction phase.

This chapter covers the fundamental topics related to architecture design on ConfigMgr:

Why a well-prepared design is the most important part of each deployment

What the features of the ConfigMgr server 

are 

Conditions and requirements when planning an upgrade to ConfigMgr 1706

ConfigMgr hierarchy types

Conditions that determine which hierarchy should be applied

Security for the ConfigMgr server

MS SQL Server roles in ConfigMgr deployments

What the functions of distribution and management points in ConfigMgr deployments 

are 

System Center Configuration Manager

The history of managing operating systems reaches way back to 1994, when Microsoft released Systems Management Server 1.1 version. Since that time, Microsoft has systematically developed this tool until now. After the first one--SMS 1.1 version, other system versions that showed up were SMS 2.0, SMS 2003, ConfigMgr 2007, and ConfigMgr 2012. Additionally, three service packs were prepared (R2 and the one and only in Microsoft history: R3) and an endless number of cumulative updates and patches.

In the last 20 years, ConfigMgr has changed a lot, and it has been subject to a real upturn. Earlier, it used to be called a slow message system because of many limitations, which caused it to be slow and problematic.

Starting from ConfigMgr 2012, the server became really stable and efficient and there were no huge problems as with the legacy versions. A lot of changes were implemented, including the following:

Console build using .NET: previously it was based on Microsoft Management Console 3.0. The console works faster and more firmly and provides much more data than the previous ones.

Functional enhancements for many components such as the data synchronization of software update data between the servers.

Saving data in the SQL database for each type of ConfigMgr server. This has radically improved efficiency and the speed of synchronization between the servers.

Introducing the application mode to natively support

.msi

files.

An endless number of updates for old features and introducing a large scope of new features.

The possibility to install ConfigMgr clients on macOS, Linux/Unix.

The possibility of managing mobile systems with Windows, iOS, and Android.

The ability to install applications on non-Windows systems.

ConfigMgr 2012 R2 and R3 were the next system versions where already existing features underwent development and changes. One of the changes that did not have an impact on functionality was the naming convention change. All versions beyond ConfigMgr 2012 R3 were named after the year and month of the release date. The first version that had this naming convention was ConfigMgr 1511, which signifies that it was released in November 2015.

ConfigMgr 1511, when compared to ConfigMgr 2012 R2, had many important changes.

The most significant changes were as follows:

Windows 10 servicing

Side loading app for Windows 10

Compliance settings for Windows 10

Preferred management point

Primary site support up to 150k clients

Support for SQL Server Always On

Native support for deploying updates for Office 365

Task sequences in-place upgrade for Windows 10

Multiple automatic deployment rules

Deploy Windows Update for Business

The current, and newest, version is 1706.

ConfigMgr brings the following significant changes:

Changes in managing updates

Improved clean up for old updates

Introducing Data Warehouse service point role

OMS connector

The ability to assign software update points to boundary groups

New compliance settings for iOS

Hardware inventory collects UEFI information

Converting BIOS to UEFI during in-place upgrade

Deploying Office 365 apps to clients

Managing express installation files for Windows 10 media

Support for Android for work

Note that it is always best and safest to use current branch versions instead of the technical preview ones. Using the current branch version ensures you get proper support from the vendor as well as from the community--so you can actually get some support not only from your paid MS subscription, but also from other engineers on the forums (and available MSFT engineers who are often on these forums as well) on the internet.

When planning an upgrade

If you plan to upgrade servers ConfigMgr 1607 to 1706, first ensure that all of the site servers the across the hierarchy run the same version of ConfigMgr. The versions supported for upgrade to 1706 are 1602, 1606, and 1610.

Along with 1706 ConfigMgr, version support for a few systems got deprecated:

SQL Server 2008 R2 for site database servers

Windows Server 2008 R2 for site system servers and most site system roles

Windows Server 2008 for site system servers and most site system roles

Windows XP Embedded as a client operating system

ConfigMgr installer automatically installs .NET 4.5.2 on each machine if it is not installed already:

Enrollment proxy point

Enrollment point

Management point

Service connection point

Apart from the prerequisites related to the operating system and .NET 4.5.2, other important points are as follows:

Remember to install all critical and security updates on the machines

Remember to review the status of your

Software Assurance

(

SA

) agreement because, if you plan to upgrade to/install ConfigMgr 1706, this needs to be active

If you plan to deploy workstations, remember to ensure that Windows

Assessment and Deployment Kit

(

ADK

) for Windows 10 is at least at version 1703

Check your hierarchy for any ongoing issues and fix them before upgrading to 1706

Ensure that replication between sites works without issues; to check it, you might use Replication Link Analyzer

ConfigMgr hierarchy planning

As mentioned earlier, spending some time on planning and analyzing your business may significantly help you in building a solution that will meet the requirements without being an overkill. It is always good to include some growth in your design plans, but there is a significant difference between planned overhead and overkill in achieving the goal.

With ConfigMgr 2007 still in your environment, the administrator would need to go through an upgrade process to migrate to the 1706 version. For 2012, there is an in-place upgrade possibility. Note that upgrade process topics won't be covered in this book.

When it comes to hierarchy planning, ConfigMgr gives a few possible options. Since ConfigMgr 1511, Microsoft has supported running ConfigMgr on the cloud.

SMS 2003 servers and ConfigMgr 2007 were supporting hierarchies made of many levels. It was causing a lot more issues related to data synchronization between servers. In ConfigMgr 2012, Microsoft introduced some significant changes. Hierarchy might consist of only three levels, and data synchronization is made directly between SQL Servers, which is a significant factor in improving the functioning of the entire system.

Possible on-premise scenarios

When designing a ConfigMgr deployment, we may choose between a few server types, and we also have the ability to combine these few servers together.

An important thing to keep in mind is that there is, in fact, the possibility of changing the environment after the deployment. The administrator might start with one server, and have a few of them at the end, or the other way--the number of servers might go down. 

ConfigMgr is a scalable solution, so it can be changed and might grow together with the organization.

Primary site

Primary site is a fundamental ConfigMgr server type that manages the clients. We start each deployment by installing this server. As you can see, the smallest possible implementation is a single standalone server. This solution is often chosen, not only by small and average sized companies, but also by big firms with a dozen or so branches.

Even when you don't have the best connection between offices, you may use a distribution point that will be a local repository for clients; the idea of distribution points will be described later in this chapter.

In this scenario, all clients report to one single ConfigMgr server. So, simplified administrations here are an undisputed benefit for both administrators and workstations that have one point to report to. Having only one server eliminates the need to replicate the database.

When installing the standalone/primary site server, the complete version of the SQL database server is required. Being a primary site server, the machine participates in database replication:

Primary site with secondary site

This scenario goes a step further. With a secondary site, we tell the clients in satellite offices/branches to report to the secondary site instead of the primary one. The reason we want a secondary site is that our primary site has very bad wide area network (WAN) connections with branches; additionally, during the day, we prefer not to fill this link with ConfigMgr traffic.

Imagine a situation where we have New York, which is our primary site, and Philadelphia, where we have an office with approximately 5,000 computers, and we have a really slow WAN link between these two offices (which may be considered any link slower than 10 MB) in addition to some latency issues. Having computers reported to New York might be a real bottleneck, not just for workstation to ConfigMgr communications, but it will surely impact applications that try to send data over this WAN link, so it may have serious repercussions for your business. Secondary sites come into play when one of the following factors is important:

Traffic compression between sites

Scheduling time for data exchange between the primary and secondary site

Usually, you won't need a secondary site; as I mentioned, even in global enterprise deployments, people often choose to have one primary site with distribution points in satellite offices:

Central administration site with primary sites and secondary sites

This is the most complex scenario we can get. A central administration site may coexist with one or more primary sites--it is the top-level site in the hierarchy. You may consider using central administration if you have two or more very big sites (where the sum of Windows clients, for instance, might be bigger than 150,000), or you would like to separate clients from each site from each other--the legal factor might come into play in this case:

A central administration site does not play any role in managing the clients in terms of actually having some clients assigned to it. You are not able to assign any clients here. It does not process any client data; it just saves data about the whole hierarchy.

With the central administration site and two primary servers connected to it, it is possible--in the case of failure of one of them--to switch endpoints to report to the working one. This feature is the easiest form of high availability provided for endpoints. However, this switch does not happen automatically, and it needs to be triggered from the server console.

Important servers roles

The most important roles, which need to be considered when designing the environment, are management point and distribution point.

If these roles are properly designed and deployed, the environment will work swiftly, firmly, and in accordance with expectations.

Management point server role

Management point is the most important server role that needs to be deployed in the ConfigMgr environment as it provides communication between the ConfigMgr server and the clients. If the mentioned role is not functioning correctly, clients will be unable to communicate with the server, which results in an immediate break in managing the environment. It makes communication on both sides impossible and clients won't be able to send any data to the ConfigMgr server.

Clients choose the management point they will connect to, based on the boundary group, which will be described in more detail in Chapter 3, Configure Sites and Boundaries. Incorrectly designed infrastructure, resulting in a badly chosen management point by clients, might cause many unpredictable effects; for instance, clients won't perform installations, won't send data to the ConfigMgr server, or will connect and communicate with the wrong management point.

For better and more efficient usage of the network between the central office and company branches, it is possible to place the primary site server or simply a management point in these branches. In this scenario, all data targeting clients will be sent only once--from the primary site server to the management point from which clients will download the data using the local network.

This happens on the other side as well. When clients are making a hardware inventory, they send all pieces of data to the management point server; it aggregates the data and sends it at once to the ConfigMgr server. In this way, the administrator is able to significantly lower the amount of information sent over the network in the ConfigMgr environment.

Distribution point server role