The Bottom Line - Mastering System Center 2012 R2 Configuration Manager (2014)

Mastering System Center 2012 R2 Configuration Manager (2014)

Appendix. The Bottom Line

Each of The Bottom Line sections in the chapters suggest exercises to deepen skills and understanding. Sometimes there is only one possible solution, but often you are encouraged to use your skills and creativity to create something that builds on what you know and lets you explore one of many possible solutions.

Chapter 2: Planning a Configuration Manager Infrastructure

1. Plan and design a Central Administration Site. One of the first questions you will ask yourself while starting to design and plan a new Configuration Manager 2012 hierarchy is “Do I need a Central Administration Site?” The answer to this question is essential for your final design.

1. Master It Determine when a CAS is needed.

2. Solution When there is a need for more than one primary site in your Configuration Manager infrastructure, you also need a CAS. Adding a CAS to the Configuration Manager 2012 hierarchy is not possible, so be sure to plan your Configuration Manager 2012 hierarchy correctly.

2. Plan and design an effective Configuration Manager 2012 infrastructure. When planning and designing a new Configuration Manager 2012 infrastructure, it is important to plan your site placement appropriately. The design rules for primary sites have changed from how they were in Configuration Manager 2007.

1. Master It Understand the reasons for not needing an additional primary site implementation.

2. Solution You don’t need to implement an additional primary site for the following reasons:

§ Decentralized administration

§ Logical data segmentation

§ Discrete client settings

§ Languages

§ Content routing for deep hierarchies

3. Identify the enhancements to the distribution point site system role. Distribution points in older versions were used to provide local points for accessing content and later also for App-V streaming. In Configuration Manager 2012 distribution points do a lot more.

1. Master It Distribution points have been enhanced. What roles and components are merged with the new distribution point, and what’s new?

2. Solution Tricky question; not only are the PXE-enabled distribution points and the multicast-enabled distribution points merged with the new distribution point, but also the old branch distribution point and the distribution share are merged. The distribution point can be installed on Windows versions for servers and computers. Some new features of the distribution point are

§ Bandwidth control

§ Scheduling and throttling data synchronization

§ Ability to specify drives for content

§ Content validation on the distribution point

§ Support for content prestaging

4. Prepare your current Configuration Manager 2007 environment for migration to Configuration Manager 2012. An in-place upgrade of Configuration Manager 2007 to Configuration Manager 2012 is not supported. Configuration Manager 2012 has a migration feature within the feature set to enable side-by-side migration.

1. Master It How can you as a Configuration Manager administrator or consultant prepare a current Configuration Manager 2007 environment for migration to Configuration Manager 2012?

2. Solution Steps you can take to prepare for the migration to Configuration Manager 2012 include the following:

§ Flatten your hierarchy where possible.

§ Plan for Windows Server 2008 R2, SQL 2008, and 64-bit.

§ Start with the implementation of BranchCache with Configuration Manager 2007.

§ Move from web reporting to SQL Reporting Services.

§ Avoid mixing user and device-collection definitions.

§ Use the UNC path in your packages instead of local paths.

Chapter 3: Migrating to Configuration Manager 2012

1. Determine what you are able to migrate with the migration feature. The new migration feature in Configuration Manager 2012 allows you to migrate the old Configuration Manager investments to Configuration Manager 2012 side by side. In earlier versions you were able to migrate the server in place or side by side by replicating data, but no real manageable migration feature was available.

1. Master It With the migration feature you cannot migrate things like the following:

§ Queries

§ Security rights for the site and objects

§ Configuration Manager reports from SQL Server Reporting Services

§ Configuration Manager 2007 web reports

§ Client inventory and history data

§ AMT client-provisioning information

§ Files in the client cache

2. To keep it positive, identify what objects you are able to migrate with the migration feature of Configuration Manager 2012.

3. Solution Almost every investment you made in Configuration Manager, whether Configuration Manager 2007 or 2012, you are able to migrate to a new Configuration Manager 2012 environment. The following list includes all the objects that can be migrated:

§ Collections

§ Advertisements and deployments

§ Boundaries

§ Boundary groups (Configuration Manager 2012 only)

§ Global conditions (Configuration Manager 2012 only)

§ Software distribution packages

§ Applications (Configuration Manager 2012 only)

§ Virtual application packages (Configuration Manager 2007 only)

§ App-V virtual environments (Configuration Manager 2012 only)

§ Software updates

§ Deployments

§ Deployment packages

§ Deployment templates

§ Software update lists

§ Software update groups (Configuration Manager 2012 only)

§ Automatic deployment rules (Configuration Manager 2012 only)

§ Operating system deployment

§ Boot images

§ Driver packages

§ Drivers

§ Images

§ Installer

§ Task sequences

§ Settings management

§ Configuration baselines

§ Configuration items

§ Asset intelligence

§ Catalog

§ Hardware requirements

§ User-defined categorization list

§ Software metering rules

§ Saved searches (Configuration Manager 2012 only)

2. Discover which migration approach is supported. Configuration Manager 2012 provides migration features that can be used for your migration of Configuration Manager 2007 to Configuration Manager 2012.

1. Master It With the earlier upgrades or migrations of Configuration Manager in your mind, what migration approaches are supported when migrating from Configuration Manager 2007 to Configuration Manager 2012?

2. Solution Configuration Manager 2012 officially supports only one migration approach, the side-by-side migration approach, when using the migration feature. The wipe-and-load approach is used only if you do not need to migrate anything from your old Configuration Manager 2007 environment.

3. Ascertain what kind of interoperability is supported during the migration. Interoperability like that supported in earlier versions is no longer supported; nevertheless, the migration feature of Configuration Manager 2012 supports some kinds of interoperability during the migration process. Depending on the size of your Configuration Manager 2007 or Configuration Manager 2012 source hierarchy, the migration can take some time.

1. Master It Interoperability like you were used to in SMS 2003 and Configuration Manager 2007 is no longer supported. Give two examples of interoperability features in Configuration Manager 2012.

2. Solution For interoperability purposes you are able to use shared distribution points in the process of migrating objects from a source Configuration Manager hierarchy to the new Configuration Manager 2012 hierarchy. Another interoperability feature is the ability to re-migrate update objects. In other words, you can re-migrate objects that have been updated in the source Configuration Manager hierarchy while migrating other objects.

4. Migrate packages and programs to the new application model. The classic packages just migrated to Configuration Manager 2012 can be used and targeted to collections of users and computers, but Configuration Manager is built around a new application model that allows you to implement user-centricity in your Configuration Manager 2012 environment.

1. Master It Converting classic packages to the application model is not a feature of Configuration Manager, but with extra software it can be done from the Configuration Manager 2012 console in a couple of different ways. What is the name of the tool that you use to convert the classic packages, and what are the steps to convert a classic package?

2. Solution The tool that is used for converting classic packages is Package Conversion Manager. Package Conversion Manager fully integrates with the Configuration Manager 2012 console.

3. The steps you need to take to convert a classic package are as follows:

i. Analyze the classic packages for their readiness state.

ii. Convert classic packages that have a readiness state of Automatic.

iii. Fix and convert the packages that have a Manual readiness state.

iv. Test the applications before deploying them.

Chapter 4: Installation and Site Role Configuration

1. Understand Configuration Manager 2012 R2 sites and the new approach to hierarchy design. Configuration Manager 2012 R2 has three types of sites: the Central Administration Site, which is new, and the primary and secondary sites, which are familiar. Although two of the three site types are familiar, their use and approach to hierarchy design—or whether a hierarchy is needed at all—are quite different now.

1. Master It Describe the purpose of each site type and map each to specific management needs.

2. Solution

§ Central Administration Site: Only present if a hierarchy is being configured. Provides centralized administration for the hierarchy but no direct client management.

§ Primary site: Clients are assigned to primary sites, and this is where they receive management instruction, regardless of where in the hierarchy the client might be located.

§ Secondary site: This type of site is of use only in situations where bandwidth conditions are so slow or unstable as to require a site server to throttle even small traffic, such as discovery and inventory information.

2. Construct a Configuration Manager 2012 R2 hierarchy. The site hierarchy in Configuration Manager 2012 R2 consists of the site types just described. The approach to design is very different from the previous version, with the number of primary sites being limited to a single tier. The chapter walked through configuring a hierarchy with all three site types.

1. Master It Describe a Configuration Manager 2012 R2 site hierarchy. Detail components needed for site-to-site communication and security settings.

2. Solution

§ Hierarchies always consist of a CAS and at least one primary child site. Additional primary child sites might be in place as well. Secondary sites should rarely be used but may be added if needed.

§ Site-to-site communication requires site servers to have proper addresses and senders to be configured and correct credentials to be assigned where applicable.

§ ConfigMgr 2012 installations create several local security groups that are used to grant access to site resources and facilitate site-to-site communication.

3. Determine when to expand a hierarchy and when to simply add a site system role for additional service. A major design goal of Configuration Manager 2012 R2 is simplified hierarchy design. Administrators familiar with previous versions of Configuration Manager may be tempted to retain old hierarchy approaches when designing Configuration Manager 2012 R2. Taking such an approach will often lead to inefficient designs and additional server cost and in some cases simply won’t work.

1. Master It Understand the changes in sites and site components that lend themselves to hierarchy simplification and enable parity management with fewer site servers.

2. Solution

§ Distribution point modifications include the ability to throttle content directly to remote distribution points. In addition, it is now possible to install distribution points on workstation systems directly where needed.

§ Boundary groups simplify hierarchy configurations by allowing administrators to strictly define which distribution points are used to service specific client content requests.

§ The updated security model in Configuration Manager 2012 R2 allows administrators to scale out a single site while still maintaining logical separation of user role and function. There is no longer a technical need to have separate primary sites for servers and workstations. When managed properly, a single primary site is able to manage both seamlessly while protecting resources from access by unauthorized users.

4. Deploy and configure the various site system roles available per site. There are many roles available to enable management at a site. Understanding each role and the service it delivers is critical to getting the most out of an investment in Configuration Manager 2012 R2.

1. Master It Review critical system roles and understand the services that are enabled through each.

2. Solution

§ Critical site system roles are those that are required for basic ConfigMgr functionality at most sites. These include the management point and distribution point roles.

§ Management points facilitate client-to-site server communication.

§ Distribution points store content that may be needed by clients of the site.

Chapter 5: Cloud Integration

1. Test cloud distribution points before going into production. Before you go into production with cloud-based distribution points, you should test the service to make sure it meets your needs. The tools required for testing and the trial service are free.

1. Master It Creating a cloud distribution point is easy, but there are prerequisites that need to be met. You will need a Windows Azure account and Visual Studio to create the management certificate.

2. Solution Test cloud distribution points at no cost to you before you go into production. Get a free trial Windows Azure subscription that will allow you to test the service. You can also download for free Visual Studio Express 2013 to create the management certificate.

2. Control cloud distribution points usage costs. Don’t set and forget your cloud-based distribution points. Monitor its usage so you can control your costs. Monitoring usage will also help you determine when it is time to scale up.

1. Master It Make sure you have control of the charges associated with data transfers from your Windows Azure subscription.

2. Solution Take advantage of Configuration Manager alerts and options to control the amount of data you copy to cloud distribution points. Be proactive in monitoring the amount of data requested by your clients. Also be smart about what you copy to your cloud distribution points. Does it make sense to have large applications like Microsoft Office on your cloud distribution points? Probably not.

3. Simplify your hierarchy. Since the early development stages of Configuration Manager 2012, Microsoft has been telling us to flatten or simplify our Configuration Manager hierarchies. Cloud-based distribution points provide you with another opportunity to do so.

1. Master It Flatten your Configuration Manager hierarchy. There are probably site roles that could be decommissioned by deploying cloud-based distribution points.

2. Solution Consider replacing secondary sites or distribution points on remote locations and using cloud-based distribution points instead. When decommissioning a role is not possible, consider extending your private cloud hierarchy to the cloud. Don’t forget the flexibility and scalability cloud-based distribution points bring to Configuration Manager.

Chapter 6: Client Installation

1. Configure boundaries and boundary groups. Before starting any client installation, verify that you have configured a boundary group for site assignment.

1. Master It Let Configuration Manager Forest Discovery automatically create the boundaries and add them to the correct boundary groups.

2. Solution Once you have configured Forest Discovery, add the automatically created IP subnets to a new or existing discovery group.

2. Select the relevant discovery methods. You configure discovery methods in the Configuration Manager console. The Active Directory discovery methods all require a schedule and an LDAP path. There are schedules for delta and full discovery. In Configuration Manager 2012, delta discovery will also find changes to existing objects; this eliminates the need to run a full discovery more than once a week.

1. Master It Always know what you want to discover and where. Based on that knowledge, configure the needed discovery methods.

2. Solution The correct discovery method depends on how you want to deploy clients and work with features like application deployment. For a client push installation to work, it is a good idea to configure Active Directory Computer Discovery. On the other hand, if you want to deploy applications to end users, you also need to configure Active Directory User Discovery.

3. Employ the correct client installation methods. When configuring the client installation methods, make sure you know the pros and cons for each method. Some require firewall settings; others require local administrative permissions. You need to make sure that all the required settings are in place. Do not start any installation until you have the needed site systems, boundary groups, and command lines specified.

1. Master It Configure the correct command-line properties and ensure they will work for all environments (local forest, workgroup, and DMZ). Create multiple client push installation accounts, and ensure that you have a good understanding of the three phases (preinstallation, installation, and post-installation).

2. Solution Configure the command-line properties in the properties for the client push installation method. That way you ensure that the properties are always replicated to Active Directory and can be read during the client installation.

3. Furthermore, you should add the command-line properties that will also work in another forest and workgroup in the client push properties.

4. Manage Unix/Linux and Mac devices. Configuration Manager 2012 provides support for managing Unix/Linux and Mac computers as devices. You are now able to manage your entire computer infrastructure from a single management console.

1. Master It Understand the installation methods available for deploying the Configuration Manager client to the Unix/Linux computers and Mac computers. Remember that client push cannot be used for these devices.

2. Solution The client installation process for Unix/Linux devices has several required parameters, such as the site code, the management point, and the installation package to use. Use the optional parameters to define other client configuration features, such as the fallback status point to utilize or the folder that will be used for the client installation.

5. Ensure client health. Client status might not be the first task you think about when implementing a system like Configuration Manager. But it is crucial to the daily administration that you can trust the numbers you see in the reports and in the console. One way to ensure that is by making certain that all clients are healthy and are providing the server with up-to-date status messages and discovery information.

1. Master It Discuss the different environments that exist in your organization, and use that information when configuring client health alerts. Make sure that you know the client activity during a normal period and that you have a set of defined SLAs for each of the environments (laptops, road warriors, servers, call center, and so on).

2. Solution Create unique collections corresponding to each computer role type that you have. In the properties for every collection, configure the unique client status values.

Chapter 7: Client Health

1. Detail client health evaluations in Configuration Manager 2012. Health evaluations and remediations take place daily on every Configuration Manager 2012 client in the hierarchy. This information is updated at the site and is available for review on every client and also summarized for every client across the hierarchy.

1. Master It List the health evaluations and remediations that take place on Configuration Manager clients.

2. Solution

§ Review the CCMEval.log file to see all evaluations and remediations that are taking place on clients.

§ Review the CCMEval.xml file to understand the details behind each evaluation.

2. Review client health results in the Configuration Manager console. Client health data is available in several locations of the console to allow access to health for individual devices and summarized data for all clients in the hierarchy.

1. Master It List the locations in the console where individual client health and summarized client health data are accessible.

2. Solution

§ Individual client health data is available by viewing devices individually in collections.

§ Summarized client health data is available in the Monitoring workspace of the Configuration Manager console by choosing the Client Status node and then the Client Activity and Client Check nodes.

§ Configuration Manager 2012 R2 reports also offer a view into client health data.

Chapter 8: Application Deployment

1. Explain the options available for Application Deployment. The new Application Deployment model is a significant and welcome change for deploying software in the enterprise. There are many new components including a rules-based Requirements engine, the ability to detect whether the application is already installed, the option to configure application dependencies and relationships, and more.

1. Master It List several configuration options available for applications and deployment types.

2. Solution

§ Applications: The ability to publish in the Application Catalog, define supersedence, and reference information.

§ Deployment types: The ability to set dependency information, specify criteria defining whether an application is already installed, configure requirements, and set return codes.

2. Detail the various components required for Application Deployment. Success with Application Deployment requires that several other Configuration Manager 2012 components be available and properly configured. The list includes management point(s), distribution point(s), IIS, BITS, the client itself, and possibly more.

1. Master It List the components required for configuring an application deployment.

2. Solution The application and at least one deployment type and deployment content must be staged on at least one available distribution point. Clients must receive the deployment and pass any configured requirements, allowing the deployment to be initiated.

3. Understand the role of and manage distribution points. The role of distribution points has not changed significantly in that this is the role that makes content available to Configuration Manager 2012 devices and users. The options available for implementing the role have changed significantly with the inclusion of throttling control content flow from site server to remote distribution points, the single-instance storage approach for placing content on distribution points, the ability to detect content corruption, and the requirement that all distribution points be BITS enabled.

1. Master It Discuss the differences between implementing a distribution point role on the site server locally and remotely.

2. Solution

§ Local distribution point: Content is transferred by local file copy; there is no ability to throttle a local distribution point.

§ Remote distribution point: Content is transferred by network file copy without compression. The ability to throttle content is available, but content is not compressed.

Chapter 9: Software Updates

1. Plan to use Software Updates. You can use the same method of deployment intelligence that was used in Chapter 2 to gather information for planning to implement Software Updates. This will be very helpful in making sure that you get the most out of the Software Updates feature for your organization.

1. Master It What is the first step in gathering deployment intelligence when you are planning to implement Software Updates?

2. Solution You must determine what needs to be accomplished with Software Updates.

2. Configure Software Updates. Before you can utilize Software Updates in your environment, you must set up and configure the various components of this feature.

1. Master It What is the first thing you have to install before you can use Software Updates?

2. Solution You must install Windows Server Update Services (WSUS) 3.0 SP2. You can use either the full install or the WSUS administrative console, depending on what you are setting up.

3. Use the Software Updates feature to manage software updates. The hardest thing to do in SMS 2003 relating to patch management was to programmatically prioritize software updates that are critical so they can be deployed with a higher priority than other updates.

1. Master It What does Configuration Manager provide that can help with prioritizing software updates?

2. Solution Configuration Manager now includes the severity of all of the updates that are synchronized into the Configuration Manager database. With that data you can sort updates by that category and create search criteria and update groups based on their severity level so that you can use them as a source for your software update components.

4. Use automatic update deployment to deploy software updates. When you deployed software in Configuration Manager 2007, you deployed software updates through a procedure that consumed a lot of time.

1. Master It Configuration Manager has a new feature called Automatic Deployment Rules. What kinds of updates are suitable to deploy via the automatic deployment rules?

2. Solution Patch Tuesday software updates and definition files for Forefront Endpoint Protection can be deployed via the automatic deployment rules. Be sure to always test the updates to see if they have any impact on your environment.

Chapter 10: Operating System Deployment

1. Specify a Network Access account. The Network Access account is the account Configuration Manager will use to access the system while running WinPE.

1. Master It How do you specify the Network Access account?

2. Solution Open the Configuration Manager 2012 console, and do the following:

i. Choose the Adminis tration workspace and expand Overview ⇒ Site Configuration ⇒ Sites.

ii. Select one of the sites for which you want to configure the Network Access account, and click Configure Site Components on the Home tab of the ribbon.

iii. Select Software Distribution.

iv. Select the Network Access Account tab, set the Network Access account to the account created earlier, and click OK.

2. Enable PXE support. PXE support in Configuration Manager is used to begin the operating system deployment process. The PXE feature responds to Configuration Manager clients making PXE boot requests.

1. Master It How do you set up PXE support?

2. Solution Open the Configuration Manager 2012 console, and do the following:

i. Choose the Administration workspace and expand Overview ⇒ Distribution Points.

ii. Select the site server on which the distribution point resides, and click Properties on the Site Role area of the ribbon.

iii. Select the PXE tab and click Enable PXE Service Point.

3. Update the driver catalog package. The driver catalog allows you to add drivers to the already created packages and images you have within your organization so you are not constantly re-creating your images when you get a new machine in your environment.

1. Master It How do you update the driver catalog package?

2. Solution From within the Configuration Manager console, do the following:

i. Choose the Software Library workspace, expand Overview ⇒ Operating Systems, and select Drivers.

ii. Click Import Driver on the Home tab of the ribbon of the Configuration Manager console.

iii. Browse to the network location of the drivers you want to import.

iv. Specify which package and boot images you want to import the specific drivers into.

4. Update an image from the console. In the past it was a big issue to keep your images up to date; no easy procedure existed. In Configuration Manager 2012 a feature called Schedule Updates exists to update your Windows images.

1. Master It How do you update your Windows images?

2. Solution From within the Configuration Manager console, do the following:

i. Choose the Software Library workspace, expand Overview ⇒ Operating Systems, and select Operating System Images.

ii. From there select a Windows image and click Schedule Updates in the Home tab of the ribbon of the Configuration Manager console.

3. The process of updating the images is scheduled; after finishing, the wizard and the update will start automatically.

Chapter 11: Inventory and Software Metering

1. Configure and manage Software Inventory. Configuring Software Inventory has changed in Configuration Manager 2012, although the client-processing part is almost the same as in Configuration Manager 2007.

1. Master It By default, Configuration Manager does not inventory for any file types. Where would you go to do that?

2. Solution Take the following steps:

i. Navigate to the Administration workspace, under Overview select Client Settings, and open the Default Client Settings properties.

ii. Select Software Inventory.

iii. Click Set Types.

iv. Click the New button, and configure the files or file types you want to include in the software-scanning process.

2. Configure and manage Hardware Inventory. Hardware Inventory provides a wealth of information on the hardware resources in your organization. That information is vital when planning for things such as updating standard business software or upgrading the standard operating system your organization uses. If the standard hardware inventory collected is not enough for your needs, then you have many options to extend the hardware inventory to get that vital information.

1. Master It Where do you enable or disable data classes in Hardware Inventory?

2. Solution You need to open the default client agent settings or create a custom client setting. Custom client settings can only be used when you want to enable data classes that already exist in Configuration Manager. For custom classes (or to delete classes) you need to modify the default client settings.

3. Configure and manage Software Metering. Keeping track of software that is installed and actually being used is a large part of being able to manage software licenses effectively. By pairing Software Metering in Configuration Manager with Software Inventory, you can get detailed information on just what software is out there and who is or is not using it. This goes a long way to help keep your software licensing in compliance.

1. Master It How long do you have to wait, at the very least, after you configure Software Metering before you can expect to see any data returned?

2. Solution You must wait at least 12 hours. Software Metering Data Summarization runs daily by default and will run only against data that is at least 12 hours old. This is required for all software metering reports to produce any meaningful data.

Chapter 12: Asset Intelligence

1. Enable Asset Intelligence. If you installed ConfigMgr from scratch, you will find that Asset Intelligence is not enabled by default. Depending on the data that you want information on, you will have to select the ConfigMgr Asset Intelligence reporting classes and make sure that client agents are enabled.

1. Master It Which classes in the Asset Intelligence Edit Inventory Classes dialog do you have to enable to use Asset Intelligence?

2. Solution You need to enable the following classes in the Asset Intelligence Edit Inventory Classes dialog to use Asset Intelligence:

3. SMS_SystemConsoleUsage

4. SMS_SystemConsoleUser

5. SMS_InstalledSoftware

6. SMS_AutoStartSoftware

7. SMS_BrowserHelperObject

8. SoftwareLicensingService

9. SoftwareLicensingProduct

10. Win32_USBDevice

SMS_SoftwareTag

2. Configure the Asset Intelligence synchronization point. The Asset Intelligence synchronization point is used to connect to System Center Online to synchronize Asset Intelligence Catalog information and get periodic updates.

1. Master It What do you need to do in order to configure the Asset Intelligence synchronization point?

2. Solution

§ You need to configure it on only the CAS or stand-alone primary site.

§ You may want to obtain an optional System Center Online authentication certificate.

§ If no valid certificate is issued, you can install the Asset Intelligence synchronization point without a certificate.

3. Import the Microsoft Volume License Statement. In ConfigMgr you can import the Microsoft Volume License Statement and the General License Statement so that the software inventory and Asset Intelligence can count the number of licenses currently in use in the environment.

1. Master It What file types does ConfigMgr 2012 support for the license statements?

2. Solution It will be a .csv file if the file to be imported is a General License Statement. If you are going to import a Microsoft Volume License Statement, it will be an .xml or .csv file. You can obtain this file by logging into the following website:http://licensing.microsoft.com. Or you can request this file from your Microsoft Technical Account Manager or Account Manager.

Chapter 13: Reporting

1. Install the Reporting Services point. Installing a Reporting Services site system within Configuration Manager allows not only administrators but everyone to view reports in some fashion either via different file formats or a direct link within the Report Manager Website.

1. Master It What is the procedure to enable Reporting with Configuration Manager?

2. Solution Open the Configuration Manager 2012 console, and do the following:

i. Navigate to the Administration workspace.

ii. Expand Overview ⇒ Site Configuration ⇒ Servers And Site System Roles.

iii. Right-click the server and select Add Site System Roles.

2. Manage reporting security. Reporting security is an integrated part of the built-in security. You provide users with access to reports by adding them to a predefined security role or by creating a custom role with permissions to run or modify reports.

1. Master It Add users to a built-in security role.

2. Solution Open the Configuration Manager 2012 console, and do the following:

i. Navigate to the Administration workspace ⇒ Overview ⇒ Security ⇒ Administrative Users.

ii. Click Add User Or Group from the ribbon.

3. Create and manage report subscriptions. Creating subscriptions can be very helpful in many scenarios. You can configure subscriptions from Report Manager or in the Configuration Manager console.

1. Master It Create an email-based subscription.

2. Solution Open the Configuration Manager 2012 console, and do the following:

i. Navigate to the Monitoring workspace.

ii. Expand Overview ⇒ Reports.

iii. Select the report, and click Create Subscription from the ribbon.

4. Create custom reports. Creating custom reports can be helpful in many scenarios. You will quickly find that the canned reports are very useful but may be limited for all your needs.

1. Master It Create a custom report.

2. Solution Open the Configuration Manager 2012 console, and do the following:

i. Navigate to the Monitoring workspace.

ii. Expand Overview ⇒ Reports, and select the appropriate folder.

iii. Click Create Report from the ribbon to start the process in Report Builder.

Chapter 14: Compliance Settings

1. Enable the client settings. Until the client settings are enabled for your Configuration Manager clients, your clients will not evaluate any of the configuration baselines. This is the first step in using Compliance Settings to validate client settings.

1. Master It Enable Compliance Settings for the Configuration Manager clients.

2. Solution In the Compliance Settings section of the client settings, set Enable Compliance Evaluation On Clients to True.

2. Create configuration items. Configuration items are the pieces that make up a configuration baseline. There are a number of different configuration item types in Configuration Manager, and depending on the type you choose to create, you are presented with certain options when creating your configuration item. The steps to create configuration items were covered in the first part of this chapter, and they included several examples of how to create the different types of configuration items.

1. Master It Create a configuration item for an application that checks a registry string value.

2. Solution Start the wizard from the Assets And Compliance workspace, Compliance Settings node; make sure you have Configuration Items selected, and right-click it. Choose Create Configuration Item. In the wizard, complete the following settings:

i. On the General tab, enter appropriate information for these fields:

1. Name: Application name and value description

2. Description: Configuration item for ...

3. Categories: Add categories

ii. On the Settings tab, choose New Settings image Registry Key from the menu and set the following options:

1. Hive: HKEY_LOCAL_MACHINE

2. Key: SOFTWARE\ ...

3. Is This Registry Key Associated With A 64-Bit Application: No

4. Report A Noncompliance Event When This Instance Count Fails: Yes/Checked

5. Instance Operator: Greater Than

6. Values: 0

7. Severity: Warning

iii. On the Settings tab, choose New Registry from the menu.

iv. On the General tab of the new registry validation, enter the following information:

1. Display Name: User-friendly name

2. Description: Description of what you are checking for

3. Hive: HKEY_LOCAL_MACHINE

4. Key: SOFTWARE\ ...

5. Value Name: Registry key value name

6. Is This Registry Key Associated With A 64-Bit Application: No

v. On the Compliance Rule tab of the new registry compliance, set Data Type to String.

vi. Click New on the menu in the details pane and, in the Configure Settings window that appears, configure these settings:

1. Name: User-friendly name

2. Description: Description of the value you are going to check for

3. Operator: Equals or Other operator

4. Value: Value to check the registry key for

5. Severity: Warning

vii. Click OK to return to the Validation tab of the new registry validation and set the following:

1. Is This Registry Key Associated With A 64-Bit Application: No

2. Report A Noncompliance Event When This Instance Count Fails: Yes/Checked

3. Instance Operator: Greater Than

4. Values: 0

5. Severity: Warning

viii. Click OK to save your changes to the Settings tab and move on.

ix. On the Detection Method tab, select the radio button Always Assume Application Is Installed.

3. Define a configuration baseline. This is where you take one or more of the CIs and put them into a package that the Configuration Manager client downloads and at the scheduled time validates by checking the CIs against the computer. The Configuration Manager client then reports the outcome of those checks back to Configuration Manager, where you can then run reports to see if your clients are within the specified configuration. These steps were covered in the last section of the chapter.

1. Master It Assemble a configuration baseline with one or more configuration items you have created.

2. Solution Follow these steps:

i. In the Assets And Compliance workspace, expand Compliance Settings, and then choose Configuration Baselines.

ii. Right-click and choose Create Configuration Baseline.

iii. Enter an appropriate name for this baseline and a description, and select or create any categories necessary.

The Configuration Data list displays all the configuration items or configuration baselines that are included in the configuration baseline.

iv. Click Add to add a new configuration item, and choose the configuration items you have created.

v. Click OK and Apply, and your baseline will be created.

vi. Deploy the configuration baseline to a collection.

Chapter 15: System Center Endpoint Protection

1. Differentiate between FEP and SCEP. There are several differences between FEP and SCEP, including the architecture and the deployment process.

1. Master It Where does SCEP store its data?

2. Solution Remember that FEP used two databases to store data: FEP_DB and FEP_DW. SCEP uses the ConfigMgr 2012 database to store SCEP-related data.

2. Deploy and configure the System Center 2012 Endpoint Protection site system and client. The three main components of enabling SCEP are as follows:

· Install and configure the Endpoint Protection site system.

· Enable and configure the SCEP client.

· Configure the antimalware policies.

4. Master It Do you need to create a package or application to deploy the SCEP client?

5. Solution No. The installation media for the System Center 2012 Endpoint Protection client (SCEPInstall.exe) is distributed to the managed devices as part of the ConfigMgr 2012 client install media. Remember that the SCEP client won’t actually be installed on managed devices until the Endpoint Protection client is enabled and configured in an assigned client settings policy. Also remember that the Endpoint Protection client cannot be enabled until the Endpoint Protection site system role is enabled.

3. Create and assign an SCEP policy. SCEP has two types of policy:

· Antimalware

· Windows Firewall

4. The antimalware policy is used to define the antimalware settings, while the Windows Firewall policy can be used to control the configuration of Windows Firewall on managed computers. Both types of Endpoint Protection policies are created and modified in the ConfigMgr 2012 console.

0. Master It If you modify the default client antimalware policy and also create a custom antimalware policy with different values for the settings and apply it to a collection, which settings will be applied?

1. Solution Changes made to the default policy will be applied to all managed computers in the environment. However, the custom policy will override any settings that are in conflict with the default policy.

Chapter 16: Mobile Device Management

1. Detail the differences between lite and depth management. The management options and settings available for mobile devices will vary depending on whether lite- or depth-management options are in place.

1. Master It List mobile device management capabilities for lite versus depth management.

2. Solution Lite management of devices allows for limited device inventory, settings management, and remote wipe.

3. Depth management of devices allows for over-the-air enrollment, full inventory, more complete settings management, software distribution, and remote (selective) wipe.

2. Understand how to configure mobile device management. Properly configuring mobile device management requires addressing several potential scenarios. From a Configuration Manager 2012 perspective, though, the choice is simple: lite or depth management.

1. Master It List the items that need to be configured for both lite and depth management.

2. Solution Lite management requires a properly configured ActiveSync connection between the Exchange server and managed devices and also proper configuration of the Configuration Manager 2012 Exchange ActiveSync connector.

3. Depth management requires proper configuration of an enterprise certification authority, Active Directory, and several different site system roles. The site system roles include the enrollment point, enrollment proxy point, device management point, and distribution point.

4. The second option is configuring the Windows Intune connector and using Windows Intune as a middle tier between your Configuration Manager environment and your mobile devices.

3. Understand the depth-management enrollment process. From the user perspective, the enrollment process for depth management is straightforward. Behind the scenes, there are a number of moving parts. Each of these components is critical to the enrollment process.

1. Master It List the components required to enroll depth-managed devices.

2. Solution

§ Enrollment web proxy site system role

§ Enrollment service point site system role

§ Mobile device management point

§ Enterprise Microsoft certification authority

§ Active Directory services and/or

§ Windows Intune subscription

§ Windows Intune connector

Chapter 17: Role-Based Administration

1. Understand the role-based administration model in ConfigMgr 2012. SMS and ConfigMgr 2007 used a class and instance security model, which could be confusing at times. ConfigMgr 2012 adopts the RBAC model, thereby making the administration of security in ConfigMgr 2012 a less-daunting task.

1. Master It What does RBAC stand for? And what does role-based administration mean?

2. Solution RBAC is an acronym for Role-Based Access Control and is the security model used in many products in the System Center suite, including ConfigMgr 2012.

3. Role-based administration means that the ConfigMgr 2012 administrator can use a combination of security roles, security scopes, and collections to define what the ConfigMgr administrative users can view and manage. ConfigMgr 2012 R2 introduces the ability to apply role-based administration to reports as well, greatly simplifying the process of securing access to report data.

2. Distinguish security roles from security scopes. Security roles and security scopes are important components of the role-based security model in ConfigMgr 2012.

1. Master It Can you identify the key differences between a security role and a security scope?

2. Solution The primary difference between the two is that a security role is used to organize tasks or functions, whereas a security scope is used to define access to objects. The security role is the action (or lack thereof if trying to block access), whereas the security scope is what is acted upon (or lack thereof if trying to block access).

3. Understand which objects in ConfigMgr 2012 define an administrative user. The administrative user consists of the security role, the security scope, and collections. In this chapter you learned the differences between a security role and a security scope, and you know that collections can be used to control the objects that an administrative user can access.

1. Master It As the ConfigMgr 2012 administrator, do you need to create a custom ConfigMgr 2012 console so that the administrative user can see only what you want them to see?

2. Solution No. The beauty of the role-based administration model is that the user will see only what they have access to in the ConfigMgr 2012 console. You do not need to provide a modified console for them. They simply log onto the environment with their administrative user account and open the ConfigMgr 2012 console, and they will see only the objects they have access to. Objects that they do not have access to will be hidden.

4. Understand how to simulate permissions in the ConfigMgr 2012 console. The RBAC model in ConfigMgr 2012 greatly simplifies the process for creating administrative users and defining what objects in ConfigMgr they can access.

1. Master It Besides the ConfigMgr 2012 console itself, what other tool can you use to simulate ConfigMgr user security and verify that the security model will provide the desired level of access?

2. Solution Utilize the RBA Viewer application from the Configuration Manager 2012 Toolkit. It will allow you to easily define new security roles, simulate the access the new role will have in the ConfigMgr console, as well as provide the ability to simulate the console experience under a specific user account.

Chapter 18: Disaster Recovery

1. Configure backups for Configuration Manager sites. Backing up Configuration Manager sites can be automated by scheduling the Backup ConfigMgr Site Server maintenance task. When the Configuration Manager backup service (SMS_SITE_BACKUP) starts, it uses instructions in the backup control file, located at

1. [ConfigMgr Install Location]Microsoft Configuration Manager\Inboxes\smsbkup.box\smsbkup.ctl

2. Master It Recovering a complete Configuration Manager site is only supported with site backups from what source?

3. Solution The backups must be created by the Backup ConfigMgr Site Server maintenance task.

2. Recover Configuration Manager sites. Recovery of a Configuration Manager site requires that you do not have a Configuration Manager site installed when starting the Setup.exe process. The recovery process will recover data from the backup files and from a reference site provided you have a multisite hierarchy.

1. Master It What is site recovery designed for?

2. Solution It is used for repairing and resynchronizing ConfigMgr data.

3. Archive backup snapshots to another location. The first time the Backup ConfigMgr Site Server task runs, it creates a backup snapshot, which can be used to recover a Configuration Manager site system when it fails. The next time the backup task runs, it makes a new backup snapshot that will overwrite the one that was made during the last snapshot. This could be a problem if the current backup snapshot becomes corrupt for some reason, because there is no other backup to restore from.

1. Master It What script can you use to copy backup snapshots from the site server to a new location but is not created when ConfigMgr is installed?

2. Solution You can use AfterBackup.bat.

4. Reinstall the site components and reset file and registry permissions to their default settings. From time to time other administrators mess around with the default permissions that are configured on the different folders and shares created by Configuration Manager.

1. Master It How can you restore the file and registry permissions without performing a complete restore?

2. Solution Run setup.exe from the Start menu or from the <Configuration Manager installation directory>\Microsoft Configuration Manager\bin\x64 folder. Select Perform Site Maintenance Or Reset This Site and click Next. On the Site Maintenance page select Reset Site With No Configuration Changes and finish the wizard.

Chapter 19: Troubleshooting

1. Create a basic maintenance plan. Setting up a basic maintenance plan is a vital step to ensure the proper health of your Configuration Manager 2012 R2 hierarchy.

1. Master It How do you create a basic maintenance plan?

2. Solution Develop a plan, similar to the guidelines discussed in the section “Creating the Maintenance Plan” in Chapter 19. Review and modify the plan on a biannual basis, and update it throughout the year to ensure nothing gets overlooked and the documentation is up to date with the current design of the Configuration Manager site.

2. View log files using CMTrace. Although using CMTrace is not a requirement for viewing log files, it is highly recommended because CMTrace constantly monitors the opened file for updates.

1. Master It Use CMTrace to view log files.

2. Solution ConfigMgr CMTrace is located on your installation media in SMSSETUP\Tools\cmtrace.exe. Click File, browse to the log file you want to review, and open it.

3. Troubleshoot DRS replication. To view the current status of the ConfigMgr DRS replication and to know the latest information about the changes being requested on the site, it’s important to be familiar with the log file and the replication process.

1. Master It To view the latest changes on the replication process, what log file do you need to open to view this information?

2. Solution Locate the RCMCtrl.log file and open it using CMTrace. Locate the DRS initiation and RCM changes.

3. Other solutions might include executing the spDiagDRS stored procedure to view the current replication status and details about the data that is being replicated. You can find more details about the RCMCtrl.log at the beginning of Chapter 19.

4. Master the troubleshooting steps. It’s important to outline the steps to identify a problem and solve it.

1. Master It How many steps were needed to troubleshoot Contoso?

2. Solution You need the following seven steps:

i. Define and identify the problem.

ii. Analyze the situation.

iii. Identify possible solutions.

iv. Select the best solution.

v. Evaluate the solution.

vi. Develop an action plan.

vii. Implement the solution.