Microsoft System Center: The New Look of SCCM

Microsoft System Center Configuration Manager is changing to reflect the new approach of managing users rather than systems.

Paul Schnackenburg

Enterprise systems management is changing, so the tools you use must change as well. System Center Configuration Manager (SCCM), the stalwart management solution from Microsoft, is following that trend.

One of the biggest changes—at least within SCCM—is the shift toward User Centric Management (UCM). This management approach puts the users first, not the systems. There’s also a new role-based security model, a new console and the potential for a simplified infrastructure.

The System Center family of products is critical to Microsoft’s continued success in the changing enterprise market. In many ways, SCCM is the most important member of the family. SCCM 2012 is now in first beta, with a second beta expected within the first half of 2011. You can expect some features to change between now and the RTM version.

If you’re new to SCCM, here’s how it works: It surveys and discovers any devices (servers, client PCs and smartphones) connected to your network through Active Directory and installs the client software on each node. It builds up an inventory database with records on each asset and installed software and hardware specs. It uses this data to target application deployments to groups of devices or users.

Once asset discovery is complete, management is essentially automated. Patch management is based on Windows Server Update Services (WSUS) and is built-in. You can automatically have newly installed hardware receive OS deployments, or have existing machines targeted for an OS upgrade. You can enforce corporate policy through settings management. SCCM can integrate with Windows Server 2008 Network Access Policy (NAP) to ensure clients are healthy before allowing full network access.

Focus on the User

The “Consumerization of IT” is a fact of life. Resistance to this trend is probably futile in the long run. Along with this trend comes a multitude of devices and platforms you’re expected to support. Most of these mobile devices are wielded by a younger generation who are often far more tech-savvy than their older coworkers.

SCCM has always been about systems management. Handling the changing landscape, it’s rightly putting users in a central role. This new philosophy is affording them more control over what software they have installed and when it’s installed. For example, a user can define their own work hours so installations and upgrades take place when they’re not working (see Figure 1).

Figure 1 User Centric Management lets users control aspects of their own application environment

Figure 1 User Centric Management lets users control aspects of their own application environment

Each of your users can have one or more Primary Devices (meaning a desktop PC, laptop or smartphone). There can be more than one Primary User of a particular device (for example, during shift work in a factory). You help define these relationships by user device affinity (UDA). There are several methods to create the link: file import, manually by administrator, by the end user or through usage statistics.

Further involving users in managing their own systems is a new interface called the Software Center. This employs a familiar browser and shopping cart interface to let users search for and request applications. Depending on the application, you can have it installed straight away or first require administrator approval.

Manage Applications More Efficiently

There are still packages and programs in SCCM 2012, as with previous versions, but they’re now complemented by the new state-based model that works for the entire application lifecycle. Each application has a purpose (Required or Available), requirement rules and one or more deployment types (see Figure 2). You can set deployment types as Microsoft Application Virtualization, Script Installer, Microsoft Windows Installer (MSI), Remote Desktop App or Windows Mobile Cabinet.

Figure 2 Each application can have multiple types of deployment

Figure 2 Each application can have multiple types of deployment

There’s considerable flexibility gained in being able to use multiple application deployment methods. You can, for example, install Adobe Reader as a native application on your primary device, as a Remote Desktop App if you have a user who logs onto a server, and as an App-V program on any other device. For situations where one application relies on another, you can create dependencies so that application X is installed if it’s not present before application Y is deployed.

SCCM now uses retirement to uninstall applications. This was only available for App-V programs in SCCM 2007. In SCCM 2012, you can use this across all deployment types.

Many businesses maintain an application deployment testing lab to smooth out any issues before going live. You can now use SCCM to export an application (including all dependent files) from the lab and import it into the production network. SCCM tracks all software deployments in the Monitoring node, rather than in the separate Status Message Viewer, as in SCCM 2007. Reporting features are rich, making it easier to spot problems.

It’s common to write complex queries in SCCM 2007 to target programs based on technical and business requirements. Requirement rules are a new feature intended to minimize the amount of query tweaking you’ll have to do. You can make these rules global and apply them to all deployment types for a particular application or apply them only to one deployment type.

The beauty is that these rules are evaluated on the client at install time. They don’t rely on potentially out-of-date data from the database (see Figure 3). Pre-flight testing of an application deployment without actually having to install it is coming in beta 2.

Figure 3 Requirement rules should minimize the need for complex queries. They’re also a lot easier to define

Figure 3 Requirement rules should minimize the need for complex queries. They’re also a lot easier to define

Operating System Deployment (OSD) has always been one of the strengths of SCCM. SCCM 2012 introduces hierarchy-wide bootable media. This negates the need to maintain separate OSD boot media for each site. It also integrates version 4 of the User State Migration Toolkit (USMT) into the interface. Pre-Boot eXecution Environment (PXE) support is now just a Distribution Point (DP) attribute. It uses the same certificate as the DP. There are also significant improvements to PXE scalability.

Offline servicing of Windows Imaging Format, or WIM, images (Windows Vista SP1 or later) takes updating and patching to a whole new level. You can simply schedule installations to the image library. The new OS deployments will be up-to-date without having to deploy a reference image to hardware and then capturing it after patching is complete.

Intel vPro/Active Management Technology (AMT) gives you access to the hardware without a working OS. SCCM 2012 supports this, but it doesn’t look like it will support version 6, which comes with a proprietary Virtual Network Computing, or VNC, server.

Role-Based Access Control

There’s a trend in Microsoft enterprise products, as well as the industry in general, to adopting a role-based approach to administrative security. In SCCM 2012, this means Primary Sites are no longer security boundaries. The new console is controlled by Role-Based Access Control (RBAC), hiding interface elements if the user doesn’t have legitimate access. The administrative tasks are grouped in Security roles. They’re combined with Security scopes to control exactly who can do what, where and when. There are 13 roles in beta 1. You can supplement these with your own business-specific roles and scopes (see Figure 4).

Figure 4 There may be more than the current 13 roles by the time released to manufacturing rolls around

Figure 4 There may be more than the current 13 roles by the time released to manufacturing rolls around

This multilayer approach lets you leverage the power of the cloud while protecting the on-premises client from potential threats that are coming from the Internet:

Meet the New SCCM Console

Based on the System Center framework, SCCM 2012 has a totally new console. It no longer relies on the Microsoft Management Console. It gives you an easier way to administer SCCM. There’s a “Wunderbar” (yes, that’s the official technical term) with links to Assets and Compliance, Monitoring, Administration and the Software Library. There’s less clicking to navigate trees due to the tabs at the bottom of the main pane (see Figure 5).

Figure 5 The new console should make the performance issues of the Microsoft Management Console in 2007 a thing of the past

Figure 5 The new console should make the performance issues of the Microsoft Management Console in 2007 a thing of the past

Smartphone Support

System Center Mobile Device Manager 2008 wasn’t exactly a success. However, its functionality for Windows Mobile will be built into SCCM 2012. It will also add support (most likely in beta 2) for managing Symbian and Nokia devices. The stated goal is to help you manage all devices (servers, desktops, laptops and smartphones) directly in SCCM 2012.

What’s missing is more important than what’s included. Support for the iPhone, Android and Windows Phone 7 is only covered by “lite management” through an Exchange Active Sync connector. Deep management (and remote control for smartphones) is so far only promised for post-released to manufacturing (RTM).

Infrastructure Simplification

There are many sweeping changes in SCCM 2012. None of them will require more planning and up-front work than the hierarchy improvements. The goal is to have a flatter structure with less site system servers. The system requirements are another factor in the planning phase. SCCM 2012 is 64-bit only. It will only run on Windows Server 2008 or Windows Server 2008 R2 with SQL Server 2008 SP1 (x64) or later in the back end. However, DPs can still run on 32-bit Windows.

To achieve these flatter hierarchies, there’s a new Central Administration Site (CAS) that can’t have assigned clients. It’s used only for administration and reporting (through SQL Server reporting).

There’s no need for a CAS unless you have more than one primary site. Each primary site supports about 100,000 clients. You may want more than one for redundancy, even in smaller environments. You can’t tier primary sites as you could in SCCM 2007. You can with secondary sites, but you could probably turn many of those into DPs as they now offer bandwidth control.

Content distribution is now the responsibility of SQL Server replication, though software packages, patches and OS images still use the file-based model. Replicated data is divided into Global data (administrator generated, such as collections, RBAC roles and the like) and Site data (system generated). Because of this, each secondary site will need SQL Server (SQL Server Express is included).

Client agent settings are now defined at the collection level, instead of at the site level. You can have each client receive settings from multiple collections. Active Directory schema extensions are the same as in SCCM 2007, so publishing site information will work without any further schema changes. If you have Windows Server 2008 R2 with Windows 7 (Ultimate or Enterprise) in a branch, SCCM 2012 can take advantage of BranchCache.

Branch Distribution Points let you store packages on a workstation computer. This works well in offices with fewer than 100 devices, where Background Intelligent Transfer System, or BITS, bandwidth control is enough. Although there are DP groups in SCCM 2007, they’re mostly a cosmetic administrative aid. When you add content to a DP group in SCCM 2012, all members receive that data. When you add another DP, it, too, receives all group content. SCCM 2012 also lets you manually copy content to both branch DPs and standard DPs. SCCM 2007 only allows this for branch DPs.

Plan Your Migration

Moving from Systems Management Server (SMS) 2003 to SCCM 2007 offered two options: side-by-side migration or in-place upgrade. Microsoft provided no tools to help with the former option. Going from SCCM 2007 to SCCM 2012, there’s no in-place upgrade (because of the switch to 64-bit architecture). However, there are migration tools built into the console. To migrate SCCM 2007, it needs to be at the service pack 2 level.

SCCM 2012 is installed in parallel (with new site codes). Starting at the central site, it maps metadata from the old environment to the new. Each site is matched to its counterpart. This synchronization is also scheduled so that any changes during the migration are replicated from the old to the new. Once it has created the structure in SCCM 2012, it copies actual objects via migration jobs you can run on-demand or schedule for later.

You can’t mix users and computers in SCCM 2012 collections. If you have mixed collections in your current environment, you’ll need to change them before migration. Packages remain as packages in SCCM 2012. If you want to take advantage of the application improvements, you’ll have to convert these manually.

DPs are shared during the migration phase. You can use both SCCM 2007 and SCCM 2012 clients to access DPs. SCCM clients are upgraded via your software-distribution method of choice. Migration continues down the hierarchy until everything has been converted; then the scheduled synchronizations are turned off, starting at the bottom.

The Desired Configuration Management (DCM) in SCCM 2007 has been renamed as Settings Management, and it goes the last mile. Rather than just reporting on configuration drift, there’s now an option for manual or even automatic remediation for file, registry and WMI-configuration items.

SCCM 2012 is a big change. Putting users in the center of its management philosophy and involving them is a clever move. The new console and the promise of a simpler hierarchy is sure to be enticing, and the new application model is sure to save you considerable time.

Paul Schnackenburg Paul Schnackenburg has been working in IT since the days of 286 computers. He works part time as an IT teacher as well as running his own business, Expert IT Solutions, on the Sunshine Coast of Australia. He has MCSE, MCT, MCTS and MCITP certifications and specializes in Windows Server, Hyper-V and Exchange solutions for businesses. Reach him at paul@expertitsolutions.com.au and follow his blog at https://TellITasITis.com.au.