John Quirk's Blog

Under SCCM 2007, Native Mode was a bit of a pain. You couldn’t mix and match http and https enabled clients in one site, so even where you didn’t need the HTTPS level security, you had to have it and there was always a client with a certificate issue somewhere.

So, with Configuration Manager 2012 we’re moving on significantly. Native mode is no more and everything got much simpler. A site can now serve HTTP and HTTPS based clients, the site and site systems also individually understand if a client is Internet or Intranet based and can be configured to respond to one or the other or both.

Here the site is configured:

This week we’ve deployed a few hundred SCCM 2012 RC2 clients as a test bed.

The majority of the clients we’re managing at this customer are purely Internet based with no access into the core network at any time. We’ve having to manually provision them with the requisite certificates, more of which in another post, following which the client is installed using some of the nice new switches we have on the ccmsetup command line:

ccmsetup /usePKICert /NOCRLCheck /mp:https://ServerPublicFQDN.co.uk SMSSITECODE=AAA CCMHOSTNAME= ServerPublicFQDN.co.uk

usePKICert tells the client to load the certificate

/NOCRLCheck tells the client not to try to find a CRList for the client download (this is for the client download from the MP only, CRL checking will be enabled for clientà site communications unless specifically disabled in the site properties dialogue box above.)

CCMHOSTNAME just tells the machine where its internet based MP is.

When the client is installed the control panel applet knows how the client is accessing the infrastructure:

This one is on the internet and is happy about it.

Our client has joined a collection and gets an app, so we can see end-to-end that it’s working.

The app downloads and is installed. The DataTransferService log confirms the https connection (not that it could be working any other way, but it’s nice to see!)

We did a few other cool things with the solution. Here’s a screenshot of the console with the clients reporting in:

We deployed System Center Endpoint Protection:

SCEP is pretty cool now. The SCEP agent is policy-based, so as the client performs its first policy check upon installation, it is force-fed the SCEP client. No need to join a collection or submit inventory or any of those delays, straight in with the anti-malware! (It’s a shame it thinks VNC is a virus though).

So in rambling conclusion… SCCM 2012 RC2 IBCM = good. SCEP = good, everything = good.

So, Beta 2 of SCCM shipped to the web earlier today. I was in the keynote presentation at MMS when this was announced, so when better to kick the new releases tyres…

I am installing Beta 2 in our UK datacentre whilst I’m in MMS sessions in Las Vegas, so this will mainly be a quick screenshot runthrough with initial observations. More to come later…

Welcome splashscreen, looks good, plenty of options.

Have to install dot net 3.5 and 4.0 then we can proceed

For now we’re going to use a single site configuration, in live a Central Admin Site would be required:

We still have the familiar update download for external components:

BUT… There’s only 13 of them now (an improvement over the 89 required for CM07:

NB, the updates include SQL Express and dotnet, so it does take a little while…

Hey, the database has lost its default SMS_ prefix:

No more Native Mode, site now supports both HTTP and HTTPS.

This is cool. We can enable/disable the DP and MP rtole for the site during setup and specify the HTTP/S protocol.

A few pre-reqs to fix

Odd final screen… But we begin!

And we’re ready to go. Next we’ll actually try to get it to do something!

As anyone who has the indescribable pleasure of working or living with me will unerringly attest, I am a fully paid up member of the new computing paradigm club.  Every industry development is greeted with glee at the Quirkshop and I will gladly flit from vendor to vendor pursuing computing excellence in whatever form it takes.

Admittedly I have been a VDI sceptic in my time, I’ve been pretty much universally Microsoft focused for my entire IT career, have never dabbled with vegetarianism, never spent a year in a Kibbutz, don’t understand dance music, can’t watch anything with the word “celebrity” in its title and think that most green vegetables are an affront to humanity.

The above brings me jarringly to the reason for my breathless excitement. Here at Orinoko we’ve been using version one of Microsoft’s first cloud offering, BPOS, since we started the company and we have just migrated into the next version of this solution, Office 365 (a beta currently). Now, as mentioned above, I’m big into all this “cloud” stuff. I may have suggested on occasions that clouds consist of vapour, but that was just rum fuelled banter.

Office 365 gives us access to Lync, including Lync-to-Lync voice, which is very cool. It gives us very highly available Exchange 2010 and SharePoint 2010 too. As a small business, to run these systems on-premise would be costly in every regard, so to my luddite eyes the cloud solution is like voodoo.

Bolstered by my positive experience with Office 365 I have dipped my toe into Azure infrastructure services. Frankly I find the whole thing baffling, it just works.

Why didn’t we do this a hundred years ago? I spent a brief and misguided few weeks working for a Microsoft Small Business Server partner many years ago. The sort of system we would spend a fortnight implementing for a few thousand pounds can be had for literally cents on the hour for compute and single digit pounds per-user-per-month. Admittedly I can see how the costs might rack up (no pun intended), but this stuff just seems like magic.  

Finally, Intune. Now, as a Systems Management Guy ™ I realise that Intune is lacking in certain features we currently demand from our management solutions. In particular Software Distribution. BUT. If you currently have nothing in place for systems management, or if you have machines that live outside of your corporate LAN for most of their lives and you want to keep them patched, and secured and be assured that they’re not suffering from basic performance issues. And if you want to manage the licenses for the software already deployed on them, Intune is nothing short of fantastic.

And the monthly per-device charge includes an upgrade to Windows 7 Enterprise!

I have seen the future and it’s vaporised! Some of this stuff has  a little way to go, but if the cloud model didn’t fit your organisation the last you looked at it, it’s time to look again.

I have a Reporting Services Point, I have R3, so where are my reports?

Answer = You have to import them. Perhaps slightly illogically this is via the same interface you used to copy the reports from ConfigMgr to SRS in the first place:

In the import wizard, rather than the default of Import existing Reports select the other option:

The cab file is installed in InstallDIR\Reports\Power Management\MicrosoftReportPack.cab

Hurray, more reports!

I’ve been playing around with UDA with ConfigMgr 2012 Beta 1. Here are some random and scattered thoughts and details on this feature as it currently stands:

UDA is a critical feature of CM2012. Traditionally we have shied away from app deployment to users. In 2012 this all changes. At the moment the licensing models for the applications are too complex to embrace per-user deployment, the deployment process is too complex, and too latent, and the troubleshooting of user-based deployment is also too complex. In CM 2012, this is no longer the case.

UDA defines a relationship between a user and a device. Microsoft say that we (the admins) can now think “user” rather than “machine”. We have the concept of a Primary User for a device (can be ennumerated from Top Console User, admin set in the console or user set in the agent or the software catalog(ue). I can also import a list of users+devices and set the primary user during OSD…).

A device can have one or more primary users and a user can have one or more primary devices.

UDA allows us to make intelligent decisions about software provision. For example:

Install the MSI or App-V version of Microsoft Office when the device is a primary device of the user targeted; install the Terminal Server version if the device is not a primary device

Only install the App-V version of Microsoft Visio if the device is a primary device of the targeted user, otherwise don’t install

This eliminates the current problem of users leaving software everywhere they log in. Quite how we license Visio for this scenario, I’m less sure???

This solution also eliminates the need for the logon event, a current per-user deployment bottleneck as the machine can be pre-determined and does not require the user to be logged on.

UDA is a paradigm-shift for us SMS & SCCM admins, and about time too! Machine Groups are no more!

Another day, another new ConfigMgr feature. Today I’ve been playing around with Detection Methods. This is a great new feature which gets us out of a variety of app deployment problem scenarios we have currently. In brief, consider the following scenario:

I wish to deploy a new application “Tobermory” to my clients. Tobermory depends on dotnet 3.5 and another application “Bulgaria”. These apps may already be installed on my machines, the installation may have been carried out manually or via Configuration Manager. Under the current Configuration Manager release we can set a program to depend on the installation of another program thus:

A totally flawed flowchart.

The problem with this stems from ConfigMgr’s ability to determine if the required application is already installed. Essentially it has no skills unless the app was installed by ConfigMgr in the first instance.

So, how does ConfigMgr 2012 improve this? With Detection Methods of course! Detection Methods enable a system to determine whether or not an application is already present on the system (think WSUS IsInstalled type functionality). The method for identifying if an app is installed (in Beta 1) covers MSI interrogation and script based detection. I’m hoping that Beta 2 will allow for basic registry and file scanning.

So, as you can doubtless see, this is a major improvement over the current detection mentod outlined above.

As a brief aside, once we have a detection method defined we can “upgrade” these to “Global Conditions” which we can then re-use for any deployments. Out of the box we get a few (if you’re familiar with Group Policy Preferences you may recognise some of this):

•Machine AD Site

•CPU speed

•Mobile device type

•Free disk space

•Total Physical Memory

•Mobile input type

•Machine AD Organizational Unit

•Number of processors

•Machine Operating System and Architecture

•Machine Operating System Language

•Screen resolution

•ConfigMgr Assigned Site

These conditions can be leveraged for all deployment jobs allowing us as administrators to exploit these out of the box properties and define our own as we see fit.

This video post runs through the creation of deployment types in ConfigMgr 2012 Beta 1. New to this release is Configuration Manager’s ability to control how the application is consumed, at runtime. This video blog runs through creation of deployment types, dependencies and the scenario-based selection of the deployment type at runtime.

Configuration Manager 2012 provides new functionality for handling multiple package types. The Config Manager Deployment Types replace advertisements and are sensitive to the context at runtime on the user device. If the user is logged on to a machine which is not their primary device, the agent can choose how to provision the application, App-V OR MSI, etc…

This video runs through the process of creating an App-V deployment type and shows the options for auto-installation of dependent apps and deployment type selection based on user-type.

A colleague of mine, Andy Sallabank has been participating in the ConfigMgr 2012 CEP and has been getting the inside track on some good stuff. This irked me somewhat, so to redress the balance I have registered myself. Andy has posted some good stuff on his blog around the new features to participate in the CEP, so not to be outdone, I am doing the same; so as part of a series looking at features in ConfigMgr 2012 Beta 1, I thought I would start by looking at client health thresholds. (Why not!?!?!?)

In the monitoring section of the console we can now pull up statistics on client health. Below you can see a report showing my SLA threshold, and the percentage of clients which met the threshold. This stuff is all integrated into the console, which meets with my approval.

I can go in and tweak SLA settings….

As well as do some pretty cool AD integration that allows us to determine when inactive clients last logged into their domain…

Anyone who is currently a ConfigMgr admin will rejoice! Or something, We all have our vbscripts, dudeworks tools and bits of for /f scripts we use for these tasks outside of the console. Maintaining a healthy client base is a full time job. With these things built in, and with auto-remediation to come, we finally have something on the horizon to eliminate some of the frustration of working with SMS!

All this stuff appears to be in its infancy, but from what I have heard and saw briefly at Tech Ed, I am expecting some really great things!

It’s not often that I’m moved to eulogise a piece of software, especially something that sounds so innocuous, but the latest release of Snag-It (version 10) is an awesome piece of software, particularly for us tecchies writing technical documentation.

I’ve been a Snag-It user since version 8, paying a small fee for the major upgrades along the way. Snag-It is a screen-grabbing piece of software and has several major features which, if you’ve not seen the product are worth mentioning quickly:

· Multiple Capture Modes – Full Screen, Free Hand, Fixed Region, Time Delayed, include cursor, etc., etc., it also provides for capture of webpages with links, text capture, scrolling page capture. It goes on and on.

· Multiple Output Modes – Clipboard, File (every format you can imagine), output direct to a running application (direct into Word for example)

· Snag-It Editor – Crop, trim, annotate, blur, Spotlight and Magnify. It does that border stuff to make your page look torn and can add watermarks. The editor will by default automatically keep a copy of each captured image, this means you can be lazy, capture every shot you need in quick succession and stick them into your doc later.

New in version 10 is support for transparency, some new Editor features (page curl, cut-out effects) but in particular the screen magnifier and smart capture options are superb.

Pressing the Capture button (or Print Screen key) places a new screen magnifier (so you can see precisely where you capture region starts and ends) on the screen.

Magically the cursor auto selects the capture target, hover over a menu icon and the object itself will be the capture target, move outside of this and the whole menu bar becomes the target, then the child screen, finally the whole application window. Click and drag and this targeting is overridden by the regional sect option. It works seamlessly resulting in a much reduced amount of cropping required and a much slicker capture experience.

There’s a free 30 day trial available from www.TechSmith.com well, well worth a look.