Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | jeffery-anderson |
View: | 217 times |
Download: | 2 times |
How Microsoft IT Uses System Center 2012 Configuration Manager SP1
Shitanshu Verma: Service Engineering ManagerKarthik Jayavel: Service Engineer
UD-B305
Session Objectives and TakeawaysSession Objectives • Share real world deployment experiences of System
Center 2012 SP1 Configuration Manger • Explain how Microsoft uses the new features in System
Center 2012 SP1 Configuration Manager
Key Takeaways• Lessons learned from deploying System Center 2012 SP1
Configuration Manager• Understand the value of new features in System Center
2012 SP1 Configuration Manager
Features and Solutions Used
Intune Connector
User Centric Application Delivery
Macintosh Client Management
Orchestrator Runbooks
Modern Application Distribution
Software Update Point List
Automatic Client Deployment
Infrastructure ExperiencesReal World @ Microsoft IT
Unified Management Infrastructure @ Microsoft IT
Redmond Site 175k
Clients
Redmond Site 275k
Clients
North & South
America35k Clients
Europe, MidEast, Africa
40k Clients
Australia & Asia
75k Clients
Unified Device MgmtSite
~98K devices *
MS Online Directory Services (MSODS)
Active Directory
Federation Server 2.0
MS Online Directory
Sync (DirSync)
ADUser
Discovery corp domains
Intune Subscriptio
n
Connector Site role
Infrastructure• 6 Primary Sites• 13 Secondary Sites• 250 Distribution
PointsPCs & Devices• ~300,000 clients• ~125k mobile
devicesUsers• ~98k FTEs• ~82k Vendors
*projected device count
SP1 Infra Upgrade High level Overview Almost zero touch upgrade experience
• To kick off & monitor execution units (tasks) on target servers to be upgraded
• To leverage existing scripts & create new ones
Task Configuration File• Run (Task Location, Command, Parameter
Variables), Expected Output, Run Order, Success Criteria
• One time creation of automation types / versions of product (CM12 SP1 Upgrade, New CM07 Infra w/WSUS 3.0 SP2, New CM12 SP1 Infra)
Build Configuration File • Where to run, Parameters, Start
Task ID, Stop Task ID, Execute (Yes/No)
Used Orchestrator Runbooks
Used Configuration Files as Input for Runbook
< >
Thursday, April 11, 2013 | 12:00 PM-1:15 PM
UD-B319- Microsoft IT - How Microsoft IT upgrades System Center Configuration Manager using System Center Orchestrator Automation
More In Depth Session: UD-B319
Upgrade Tasks Automated…Task Type Description
Test DB Upgrade
Backup DB, Copy & Restore DB
Test DB Upgrade
Run Test DB Upgrade
Upgrade Backup old CM Logs
Upgrade Copy Source Bits
Upgrade Run QC Checks
Upgrade Disable SQL Agent Jobs
Upgrade Upgrade CAS, Primary, Secondary Sites
Upgrade Import MOF Customizations
Upgrade Re-Enable Application Catalog Performance Counters
Upgrade Re-Apply Custom Share Permissions
Upgrade Run Post QC checks
Common Monitor Logs
Common Execute SQL Script files
Automated Upgrades – Consistent deploymentsEntire hierarchy upgraded in 24 hours
Cloud Based Distribution Point Microsoft IT Evaluation
o Did not find a location at Microsoft IT that meets requirements to deploy
o Provisioned in LAB for validation purposes
Proso Content is encrypted by CM site before
being sento Cloud DPs can be scaled up/down to meet
current demand with high availability o Supports BranchCache clients to control
cost
Conso Cloud DP does not support PXE, multicast,
OSD, App-v streaming, task sequences, packages that run from cloud DPMore info available here: http://
blogs.technet.com/b/configmgrteam/archive/2013/01/31/new-distribution-points-in-configuration-manager-sp1.aspx
PR1
MP
MP DP
Windows Azure
Distribution Point
Microsoft Update
Policy
Content
FIREWALL
Corporate Network
Software Update Point and Network Load Balancer
Note Worthy Items• Software update points redesigned in
SP1
• Multiple software update point sites in the same forest or in a different forest are supported
• You no longer have the option to configure a software update point as an network load balancer via the console
More info available here: http://technet.microsoft.com/en-us/library/gg682168.aspx
Pre & Post Upgrade• Pre Upgrade: Required to remove the
network load balancer for your active software update points
• Post Upgrade: Admin has option to reconfigure NLB by using Set-CMSoftwareUpdatePoint PowerShell cmdlet
If you are using SUP with NLB and SUP based client installation then this is MUST to know!!
Software Update Point and NLB Walkthrough
1. Remove the network load balancer as pre-upgrade for your active software update points
2. Post SP1 upgrade you have the option to reconfigure the NLB
3. Connect Windows PowerShell via ConfigMgr Console4. Use “Set-CMSoftwareUpdatePoint” PowerShell cmdlet
for configuring the NLBSet-CMSoftwareUpdatepoint -SiteSystemServerName <your.SUPserver.fqdn> virtualIP <nlb.fqdn> -confirmOrSet-CMSoftwareUpdatepoint -SiteSystemServerName <your.SUPserver.fqdn> virtualIP <nlb ipaddress> -confirm
5. You can verify it by running the following query:select * from SC_SysResUse_Property p inner join SC_SysResUse s on s.ID = p.SysResUseID where s.RoleTypeID in (select RoleTypeID from SC_RoleType where RoleName='SMS Software Update Point') and p.Name='NLBVIP' OR p.Name='PublicVIP'
Client Upgrade Experiences
Key Benefits
Automatic Client Upgrade
Provide an automatic deployment
mechanism to distribute client language packs
Simple, Easy, and Automatic
Upgrades any clients less than hierarchy version to minimum
client version
Both Client Push and Software Distribution based upgrades have
Administrator overhead
Publishing new client via WSUS may cause
server overload
Provided a simple and automatic method for upgrading clients
Ensured clients remained at a minimum baseline client version
Ensure pre-reqs and language packs serviceability
Automatic Client Upgrades
Automatic Client Upgrades Enabled
Status via ConsoleNumbers of days allotted
When: Modified Date
Who: Modified By
What: Client Version Baseline
1. Enable Client Automatic Upgrade
2. All systems receive new policy
3. All systems run required (hidden) deployment for upgrade package “Ccmsetup.exe /autoupgrade”, only this package is downloaded which is <1mb
4. Ccmsetup create scheduled task to execute based on “days to upgrade” value specified in console
5. Schedule task executes with callback to ccmsetup, if prereqs are needed it is at this time they are downloaded
6. Ccmsetup executes performing upgrade using last executed command lines parameters
7. Scheduled task deleted, ccmsetup.exe and ccmsetup.cab moved to cache folder
Sequence of Events
cv1
3
4
1
3
4
Detailed Steps
Scheduled Task
Demo: Client Upgrades Using Auto Deployments
Enabled for ~270,000 clients geo distributed across five primary sites
Automatic Client Upgrades @ Microsoft IT
Auto Client Upgrades
o If the scheduled task executes while device is disconnected then the task will fail
o The last successfully executed command line will run
o Client health remediation will not cause pending auto upgrade to cancel. Only another client deployment request will cause scheduled tasks to cancel
o Auto upgrade will not run if system is on slow or unreliable network, will show as waiting for content
o Client automatic upgrade can not be used to deploy ConfigMgr updates
o If days to upgrade are past deadline then all clients past the days to upgrade will upgrade within 24 hours
o Automatic client upgrade schedule will adhere to the maintenance windows if they are being utilized
o If an Embedded system goes into servicing maintenance window the client will be upgraded for those systems that have write filters enabled
Note Worthy Items
Application Management
Modern Application Delivery
Native management of Windows RT, Windows Phone 8 and iOS through Windows Intune Unified Management
Administration Windows RT Windows Phone 8 iOS
Available user targeted apps DeepLink support In console deployment monitoring
Single pane of glass: Manage app deployments to modern devices through integration with the ConfigMgr SP1 admin console
Simplified Administration Experience
Advanced Modern Device Management
Windows 8 Side-Loading Requirements• Enterprise Client SKU
• Machine must be domain joined OR requires special key to enable side-loading• Enable policy (GP) for “Allow all trusted apps to install”
• Other Client SKUs (Windows 8 Pro & Windows RT)• Requires special key to enable side-loading• Enable policy (GP) for “Allow all trusted apps to install”• Domain join on the Pro SKU does nothing for side-loading
• All Server SKU’s• Machine must be domain joined – no separate “activation” via special key supported
currently• Enable policy (GP) for “Allow all trusted apps to install”
Building and Deploying Windows 8 LOB
Enterprise builds LOB app or gets app from ISV outside of the store
Build1
SignSign with Enterprise trusted cert Publisher name in the certificate and package must match
3
DeployDeploy using System Center 2012 Configuration Manager SP1
4
CertifyCertify LOB app using Windows App Certification kit
2
Demo: Modern Apps
Application Virtualization @ Microsoft IT
App-V 4.6 SP2 and App-V 5.0 can coexist for easy migration!
App-V 4.6 SP2 Support• Needed for Windows 8• Same Feature
Functionality
App-V 5.0• New Deployment Type
for App-V 5.0 Applications
• Integrated with App-V Connection group
App-V in ConfigMgr SP1
Next Generation DSC
• Packages can be deployed in multiple Virtual Application Connection Groups
• Configuration is separate from packages
Integrated w/ App-V Mgmt. Server and ConfigMgr
• Create and configure via Server User Interface or PowerShell
• Know the dependenciesManage in Standalone Mode
• Can use PowerShell to create and manage
Supported Configurations
• Applications + Plugins• Applications + Middleware• Applications + Applications
Virtual Application Connection
Migration from App-V 4.6 & ConfigMgr SP1
Convert Packages to App-V 5.0
Deploy the App-V 5.0 client via Configuration Manager
Copy App-V apps, create App-V 5.0 DTs and supersede
Create Virtual Environments
1
2
3
4
Deploy App-V apps 5
MAC and Device Management
Mac Management @ Microsoft ITPilot Overview• Collaborated with Microsoft IT certificate team to obtain appropriate user cert • Leveraged user enrollment model for Mac agent installation• Automated ConfigMgr SP1 agent installation using a custom script to reduce actions
from user side
Agent Installation
1 Certificate Enrollment
2 Machine Reboot
3
• Deployed below Microsoft IT security policies to all enrolled Mac machines
Policy Setting
Screen Saver Idle Time 900 (Seconds)
Require Password at Screen Saver
Yes
Password Strength
Alphanumeric Required: Yes MinChars=8MaxFailedLoginAttemps=8 MaxDaysUntilChangePassword=70
• Deployed Skype and SCEP via Software Distribution deployments
Mac Management Food For Thought
Note Worthy Items• Mac’s in Microsoft IT are not domain joined • Devices need to be corpnet connected• Published Mac agent bits and script on boundary servers• Changed client settings using Settings Management
• Deadline time for software distribution: 120 minutes• Reboot delay: 60 minutes
Key Benefits• Provides Microsoft IT an on-prem native management solution for
managing Mac’s across the Yammer, Skype and MacBU/Apex business groups
• Less complex network design as Device Management Point is not internet facing
• Met Corp Security requirements by driving the Product Team to leverage user cert based enrollment vs. machine cert based enrollment
Unified Device Management Scope @ MSIT
AndroidEAS Only
Native Management Scope
Windows Phone 8• Current: 140• Planned: 24k
Windows RT• Current: 35• Planned: 19k
Apps Published• 9 WP8 LOB • 1 Deep Linked
Apps Published• 12 WinRT Apps • 2 Deep Linked
Device Enrollments and Modern Apps
Unified Device Management Solution @ MSITDevice Management• Windows PCs, Mac’s: ConfigMgr
SP1• WP, Android, Smart Phones, etc:
EAS • WP8, WinRT, iOS: Intune (native
mgmt.)
Unified Management• ConfigMgr 2012 SP1 on-prem
infra• Windows Intune Wave D cloud• Exchange connector (reporting)
Administrative Experience• Single pane of glass and
simplified administration • Managed via ConfigMgr console
Single pane of glass
EAS EAS
SP1
Simplified Administration
Wave D Beta
Microsoft IT Unified
Management Infrastructur
e
Administrative Experience
Windows RT, Windows Phone 8,
iOS
Windows Phone, Android, Smart Phones,
etc
Mac OSWindows PCs
(x86/64)
Devices
Unified Device Management ArchitectureUnified Management @ MSIT
Unified Device Management
Note Worthy Items• Device scale – 100k user limit• Company portal and WIPE scenarios evaluated for Windows Phone 8 and Windows
RT devices• Corporate Security EAS policies enforced via Settings Management • Exchange connector used to consolidate inventory and merge device records• End user education provided via enrollment and Microsoft IT work smart guides• Created FAQs and support guides for Help Desk and Microsoft Tier 2 support teams• Developed custom inventory reports to provide a consolidated view of enrolled
devices• Microsoft IT broad device management communications/enrollments planned for
June 2013 Wednesday, April 10, 2013 | 2:45 PM - 4:00 PM UD-B311- Deploying System Center 2012 Configuration
Manager SP1 With Windows Intune
More In Depth Session: UD-B311
Wake Up Proxy Implementation
Enabled Wake Up Proxy agent installation using custom client agent setting
Identified DA gateway address and configured
Traced network performance after Wake Up Proxy agent installation during pilotTargeted Wake Up Proxy agent on regions having high opt out: 16k machines
1
2
3
4
3 machines be awake randomly
Ping should be enabled in the network
Food For Thought
Wake Up Proxy - Implementation
Food For ThoughtAdditional Useful Information & Resources ConfigMgr 2012 SP1 is now supported on SQL 2012 with a minimum
cumulative update of CU2 and not supported in SQL 2012 SP1 http://support.microsoft.com/kb/2817245
Cumulative Update 1 for System Center 2012 Configuration Manager Service Pack 1 - http://support.microsoft.com/kb/2817245
Reports improvement in SP1 for using role based administration defined in console
If you love automation, then don’t forget to check out 471 Configuration Manager SP1 PowerShell Cmdlet available here http://technet.microsoft.com/en-us/library/jj821831.aspx
Explore Pull Distribution Point for Content Management and to save WAN traffic cost for sites saving large distribution points
New updated toolkit for SP1 for additional add on such as content library transfer etc. download from here: http://www.microsoft.com/en-us/download/details.aspx?id=36213&WT.mc_id=rss_alldownloads_all
ResourceAdditional Resources Microsoft IT Windows Phone 8, Windows RT and iOS
enrollment guides: http://sdrv.ms/10f5g2y Microsoft IT Mac enrollment script: http://
sdrv.ms/10f5s1M Makeappx and signtool article :
http://msdn.microsoft.com/en-us/library/windows/desktop/hh446767(v=vs.85).aspx
In Review
• Session Objective• Share real world
deployment experiences of System Center 2012 SP1 Configuration Manger
• Explain how Microsoft uses the new features in System Center 2012 SP1 Configuration Manager
• Key Take Aways• Apply lessons learned
from deploying System Center 2012 SP1 Configuration Manager
• Plan to implement new features in System Center 2012 SP1 Configuration Manager
Related Content from Microsoft IT• UD-B328 The Top Ten Lessons Learned in
Managing SQL & Reporting • UD-B319 How Microsoft IT Upgrades System
Center Configuration Manager 2012 Hierarchy with System Center Orchestrator Automation
• UD-B311 Deploying System Center 2012 Configuration Manager SP1 With Windows Intune
More Information• System Center in Action Site
• http://blogs.technet.com/b/system_center_in_action
• Technical Case Study: How Microsoft IT Deployed System Center 2012 Configuration Manager• http://technet.microsoft.com/en-us/library/hh913620.aspx
• Technical Case Study: User-Centric Client Management with System Center 2012 Configuration Manager in Microsoft IT• http://technet.microsoft.com/en-us/library/hh925141.aspx
• Shitanshu Verma’s Blog• http://blogs.msdn.com/b/shitanshu
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.