How Microsoft IT Uses System Center 2012 Configuration Manager SP1

Shitanshu Verma: Service Engineering ManagerKarthik Jayavel: Service Engineer

UD-B305

Session Objectives and TakeawaysSession Objectives • Share real world deployment experiences of System

Center 2012 SP1 Configuration Manger • Explain how Microsoft uses the new features in System

Center 2012 SP1 Configuration Manager

Key Takeaways• Lessons learned from deploying System Center 2012 SP1

Configuration Manager• Understand the value of new features in System Center

2012 SP1 Configuration Manager

Features and Solutions Used

Intune Connector

User Centric Application Delivery

Macintosh Client Management

Orchestrator Runbooks

Modern Application Distribution

Software Update Point List

Automatic Client Deployment

Infrastructure ExperiencesReal World @ Microsoft IT

Unified Management Infrastructure @ Microsoft IT

Redmond Site 175k

Clients

Redmond Site 275k

Clients

North & South

America35k Clients

Europe, MidEast, Africa

40k Clients

Australia & Asia

75k Clients

Unified Device MgmtSite

~98K devices *

MS Online Directory Services (MSODS)

Active Directory

Federation Server 2.0

MS Online Directory

Sync (DirSync)

ADUser

Discovery corp domains

Intune Subscriptio

n

Connector Site role

Infrastructure• 6 Primary Sites• 13 Secondary Sites• 250 Distribution

PointsPCs & Devices• ~300,000 clients• ~125k mobile

devicesUsers• ~98k FTEs• ~82k Vendors

*projected device count

SP1 Infra Upgrade High level Overview Almost zero touch upgrade experience

• To kick off & monitor execution units (tasks) on target servers to be upgraded

• To leverage existing scripts & create new ones

Task Configuration File• Run (Task Location, Command, Parameter

Variables), Expected Output, Run Order, Success Criteria

• One time creation of automation types / versions of product (CM12 SP1 Upgrade, New CM07 Infra w/WSUS 3.0 SP2, New CM12 SP1 Infra)

Build Configuration File • Where to run, Parameters, Start

Task ID, Stop Task ID, Execute (Yes/No)

Used Orchestrator Runbooks

Used Configuration Files as Input for Runbook

< >

Thursday, April 11, 2013 | 12:00 PM-1:15 PM

UD-B319- Microsoft IT - How Microsoft IT upgrades System Center Configuration Manager using System Center Orchestrator Automation

More In Depth Session: UD-B319

Upgrade Tasks Automated…Task Type Description

Test DB Upgrade

Backup DB, Copy & Restore DB

Test DB Upgrade

Run Test DB Upgrade

Upgrade Backup old CM Logs

Upgrade Copy Source Bits

Upgrade Run QC Checks

Upgrade Disable SQL Agent Jobs

Upgrade Upgrade CAS, Primary, Secondary Sites

Upgrade Import MOF Customizations

Upgrade Re-Enable Application Catalog Performance Counters

Upgrade Re-Apply Custom Share Permissions

Upgrade Run Post QC checks

Common Monitor Logs

Common Execute SQL Script files

Automated Upgrades – Consistent deploymentsEntire hierarchy upgraded in 24 hours

Cloud Based Distribution Point Microsoft IT Evaluation

o Did not find a location at Microsoft IT that meets requirements to deploy

o Provisioned in LAB for validation purposes

Proso Content is encrypted by CM site before

being sento Cloud DPs can be scaled up/down to meet

current demand with high availability o Supports BranchCache clients to control

cost

Conso Cloud DP does not support PXE, multicast,

OSD, App-v streaming, task sequences, packages that run from cloud DPMore info available here: http://

blogs.technet.com/b/configmgrteam/archive/2013/01/31/new-distribution-points-in-configuration-manager-sp1.aspx

PR1

MP

MP DP

Windows Azure

Distribution Point

Microsoft Update

Policy

Content

FIREWALL

Corporate Network

Software Update Point and Network Load Balancer

Note Worthy Items• Software update points redesigned in

SP1

• Multiple software update point sites in the same forest or in a different forest are supported

• You no longer have the option to configure a software update point as an network load balancer via the console

More info available here: http://technet.microsoft.com/en-us/library/gg682168.aspx

Pre & Post Upgrade• Pre Upgrade: Required to remove the

network load balancer for your active software update points

• Post Upgrade: Admin has option to reconfigure NLB by using Set-CMSoftwareUpdatePoint PowerShell cmdlet

If you are using SUP with NLB and SUP based client installation then this is MUST to know!!

Software Update Point and NLB Walkthrough

1. Remove the network load balancer as pre-upgrade for your active software update points

2. Post SP1 upgrade you have the option to reconfigure the NLB

3. Connect Windows PowerShell via ConfigMgr Console4. Use “Set-CMSoftwareUpdatePoint” PowerShell cmdlet

for configuring the NLBSet-CMSoftwareUpdatepoint -SiteSystemServerName <your.SUPserver.fqdn> virtualIP <nlb.fqdn> -confirmOrSet-CMSoftwareUpdatepoint -SiteSystemServerName <your.SUPserver.fqdn> virtualIP <nlb ipaddress> -confirm

5. You can verify it by running the following query:select * from SC_SysResUse_Property p inner join SC_SysResUse s on s.ID = p.SysResUseID where s.RoleTypeID in (select RoleTypeID from SC_RoleType where RoleName='SMS Software Update Point') and p.Name='NLBVIP' OR p.Name='PublicVIP'

Client Upgrade Experiences

Key Benefits

Automatic Client Upgrade

Provide an automatic deployment

mechanism to distribute client language packs

Simple, Easy, and Automatic

Upgrades any clients less than hierarchy version to minimum

client version

Both Client Push and Software Distribution based upgrades have

Administrator overhead

Publishing new client via WSUS may cause

server overload

Provided a simple and automatic method for upgrading clients

Ensured clients remained at a minimum baseline client version

Ensure pre-reqs and language packs serviceability

Automatic Client Upgrades

Automatic Client Upgrades Enabled

Status via ConsoleNumbers of days allotted

When: Modified Date

Who: Modified By

What: Client Version Baseline

1. Enable Client Automatic Upgrade

2. All systems receive new policy

3. All systems run required (hidden) deployment for upgrade package “Ccmsetup.exe /autoupgrade”, only this package is downloaded which is <1mb

4. Ccmsetup create scheduled task to execute based on “days to upgrade” value specified in console

5. Schedule task executes with callback to ccmsetup, if prereqs are needed it is at this time they are downloaded

6. Ccmsetup executes performing upgrade using last executed command lines parameters

7. Scheduled task deleted, ccmsetup.exe and ccmsetup.cab moved to cache folder

Sequence of Events

cv1

3

4

1

3

4

Detailed Steps

Scheduled Task

Demo: Client Upgrades Using Auto Deployments

Enabled for ~270,000 clients geo distributed across five primary sites

Automatic Client Upgrades @ Microsoft IT

Auto Client Upgrades

o If the scheduled task executes while device is disconnected then the task will fail

o The last successfully executed command line will run

o Client health remediation will not cause pending auto upgrade to cancel. Only another client deployment request will cause scheduled tasks to cancel

o Auto upgrade will not run if system is on slow or unreliable network, will show as waiting for content

o Client automatic upgrade can not be used to deploy ConfigMgr updates

o If days to upgrade are past deadline then all clients past the days to upgrade will upgrade within 24 hours

o Automatic client upgrade schedule will adhere to the maintenance windows if they are being utilized

o If an Embedded system goes into servicing maintenance window the client will be upgraded for those systems that have write filters enabled

Note Worthy Items

Application Management

Modern Application Delivery

Native management of Windows RT, Windows Phone 8 and iOS through Windows Intune Unified Management

Administration Windows RT Windows Phone 8 iOS

Available user targeted apps DeepLink support In console deployment monitoring

Single pane of glass: Manage app deployments to modern devices through integration with the ConfigMgr SP1 admin console

Simplified Administration Experience

Advanced Modern Device Management

Windows 8 Side-Loading Requirements• Enterprise Client SKU

• Machine must be domain joined OR requires special key to enable side-loading• Enable policy (GP) for “Allow all trusted apps to install”

• Other Client SKUs (Windows 8 Pro & Windows RT)• Requires special key to enable side-loading• Enable policy (GP) for “Allow all trusted apps to install”• Domain join on the Pro SKU does nothing for side-loading

• All Server SKU’s• Machine must be domain joined – no separate “activation” via special key supported

currently• Enable policy (GP) for “Allow all trusted apps to install”

Building and Deploying Windows 8 LOB

Enterprise builds LOB app or gets app from ISV outside of the store

Build1

SignSign with Enterprise trusted cert Publisher name in the certificate and package must match

3

DeployDeploy using System Center 2012 Configuration Manager SP1

4

CertifyCertify LOB app using Windows App Certification kit

2

Demo: Modern Apps

Application Virtualization @ Microsoft IT

App-V 4.6 SP2 and App-V 5.0 can coexist for easy migration!

App-V 4.6 SP2 Support• Needed for Windows 8• Same Feature

Functionality

App-V 5.0• New Deployment Type

for App-V 5.0 Applications

• Integrated with App-V Connection group

App-V in ConfigMgr SP1

Next Generation DSC

• Packages can be deployed in multiple Virtual Application Connection Groups

• Configuration is separate from packages

Integrated w/ App-V Mgmt. Server and ConfigMgr

• Create and configure via Server User Interface or PowerShell

• Know the dependenciesManage in Standalone Mode

• Can use PowerShell to create and manage

Supported Configurations

• Applications + Plugins• Applications + Middleware• Applications + Applications

Virtual Application Connection

Migration from App-V 4.6 & ConfigMgr SP1

Convert Packages to App-V 5.0

Deploy the App-V 5.0 client via Configuration Manager

Copy App-V apps, create App-V 5.0 DTs and supersede

Create Virtual Environments

1

2

3

4

Deploy App-V apps 5

MAC and Device Management

Mac Management @ Microsoft ITPilot Overview• Collaborated with Microsoft IT certificate team to obtain appropriate user cert • Leveraged user enrollment model for Mac agent installation• Automated ConfigMgr SP1 agent installation using a custom script to reduce actions

from user side

 

Agent Installation

1 Certificate Enrollment

2 Machine Reboot

3

• Deployed below Microsoft IT security policies to all enrolled Mac machines

Policy Setting

Screen Saver Idle Time 900 (Seconds)

Require Password at Screen Saver 

Yes

Password Strength

Alphanumeric Required: Yes MinChars=8MaxFailedLoginAttemps=8 MaxDaysUntilChangePassword=70

• Deployed Skype and SCEP via Software Distribution deployments

Mac Management Food For Thought 

Note Worthy Items• Mac’s in Microsoft IT are not domain joined • Devices need to be corpnet connected• Published Mac agent bits and script on boundary servers• Changed client settings using Settings Management

• Deadline time for software distribution: 120 minutes• Reboot delay: 60 minutes

Key Benefits• Provides Microsoft IT an on-prem native management solution for

managing Mac’s across the Yammer, Skype and MacBU/Apex business groups

• Less complex network design as Device Management Point is not internet facing

• Met Corp Security requirements by driving the Product Team to leverage user cert based enrollment vs. machine cert based enrollment

Unified Device Management Scope @ MSIT

AndroidEAS Only

Native Management Scope

Windows Phone 8• Current: 140• Planned: 24k

Windows RT• Current: 35• Planned: 19k

Apps Published• 9 WP8 LOB • 1 Deep Linked

Apps Published• 12 WinRT Apps • 2 Deep Linked

Device Enrollments and Modern Apps

Unified Device Management Solution @ MSITDevice Management• Windows PCs, Mac’s: ConfigMgr

SP1• WP, Android, Smart Phones, etc:

EAS • WP8, WinRT, iOS: Intune (native

mgmt.)

Unified Management• ConfigMgr 2012 SP1 on-prem

infra• Windows Intune Wave D cloud• Exchange connector (reporting)

Administrative Experience• Single pane of glass and

simplified administration • Managed via ConfigMgr console

Single pane of glass

EAS EAS

SP1

Simplified Administration

Wave D Beta

Microsoft IT Unified

Management Infrastructur

e

Administrative Experience

Windows RT, Windows Phone 8,

iOS

Windows Phone, Android, Smart Phones,

etc

Mac OSWindows PCs

(x86/64)

Devices

Unified Device Management ArchitectureUnified Management @ MSIT

Unified Device Management

Note Worthy Items• Device scale – 100k user limit• Company portal and WIPE scenarios evaluated for Windows Phone 8 and Windows

RT devices• Corporate Security EAS policies enforced via Settings Management • Exchange connector used to consolidate inventory and merge device records• End user education provided via enrollment and Microsoft IT work smart guides• Created FAQs and support guides for Help Desk and Microsoft Tier 2 support teams• Developed custom inventory reports to provide a consolidated view of enrolled

devices• Microsoft IT broad device management communications/enrollments planned for

June 2013 Wednesday, April 10, 2013 | 2:45 PM - 4:00 PM UD-B311- Deploying System Center 2012 Configuration

Manager SP1 With Windows Intune

More In Depth Session: UD-B311

Wake Up Proxy Implementation

Enabled Wake Up Proxy agent installation using custom client agent setting

Identified DA gateway address and configured

Traced network performance after Wake Up Proxy agent installation during pilotTargeted Wake Up Proxy agent on regions having high opt out: 16k machines

1

2

3

4

3 machines be awake randomly

Ping should be enabled in the network

Food For Thought

Wake Up Proxy - Implementation

Food For ThoughtAdditional Useful Information & Resources ConfigMgr 2012 SP1 is now supported on SQL 2012 with a minimum

cumulative update of CU2 and not supported in SQL 2012 SP1 http://support.microsoft.com/kb/2817245

Cumulative Update 1 for System Center 2012 Configuration Manager Service Pack 1 - http://support.microsoft.com/kb/2817245

Reports improvement in SP1 for using role based administration defined in console

If you love automation, then don’t forget to check out 471 Configuration Manager SP1 PowerShell Cmdlet available here http://technet.microsoft.com/en-us/library/jj821831.aspx

Explore Pull Distribution Point for Content Management and to save WAN traffic cost for sites saving large distribution points

New updated toolkit for SP1 for additional add on such as content library transfer etc. download from here: http://www.microsoft.com/en-us/download/details.aspx?id=36213&WT.mc_id=rss_alldownloads_all

ResourceAdditional Resources Microsoft IT Windows Phone 8, Windows RT and iOS

enrollment guides: http://sdrv.ms/10f5g2y Microsoft IT Mac enrollment script: http://

sdrv.ms/10f5s1M Makeappx and signtool article :

http://msdn.microsoft.com/en-us/library/windows/desktop/hh446767(v=vs.85).aspx

In Review

• Session Objective• Share real world

deployment experiences of System Center 2012 SP1 Configuration Manger

• Explain how Microsoft uses the new features in System Center 2012 SP1 Configuration Manager

• Key Take Aways• Apply lessons learned

from deploying System Center 2012 SP1 Configuration Manager

• Plan to implement new features in System Center 2012 SP1 Configuration Manager

Related Content from Microsoft IT• UD-B328 The Top Ten Lessons Learned in

Managing SQL & Reporting • UD-B319 How Microsoft IT Upgrades System

Center Configuration Manager 2012 Hierarchy with System Center Orchestrator Automation

• UD-B311 Deploying System Center 2012 Configuration Manager SP1 With Windows Intune

More Information• System Center in Action Site

• http://blogs.technet.com/b/system_center_in_action

• Technical Case Study: How Microsoft IT Deployed System Center 2012 Configuration Manager• http://technet.microsoft.com/en-us/library/hh913620.aspx

• Technical Case Study: User-Centric Client Management with System Center 2012 Configuration Manager in Microsoft IT• http://technet.microsoft.com/en-us/library/hh925141.aspx

• Shitanshu Verma’s Blog• http://blogs.msdn.com/b/shitanshu

Evaluation

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

We want to hear from you!

Resources

http://channel9.msdn.com/Events

Access MMS Online to view session recordings after the event.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.