Introduction to Configuration Manager 2012 (Part 1)In this article, I will provide a revision to an article previously published on this site that was an introduction to an early beta version of what was then known as System Center Configuration Manager 2012.IntroductionAbout a year ago, I published an article here that was an introduction to an early beta version of what was then known as System Center Configuration Manager 2012# Much information has changed in the past year, including the products name# In this article, I will provide a revision to that original piece and in follow up parts, will expand on what can be done with Configuration Manager#Advertisement The name changeMost noticeably, the product name has changed and its no longer available as a standalone product# Its now sold as a part of the System Center 2012 suite and is officially known as System Center 2012 Configuration Manager, which places the emphasis on System Center as a whole# That said, Ill still abbreviate it as SCCM 2012#SCCM 2012 brings with it a number of changes that make it very different from previous versions of the product# Im getting pretty involved in the product for a project and will share my thoughts with you as I go through the paces#This article and the subsequent pieces are all based on the released version of the product#SCCM 2012 system requirementsThe SCCM 2012 client is supported on the following: Windows XP Professional SP3 Windows XP Professional 64-bit SP2 Vista Business, Enterprise, Ultimate, SP1, SP2, 32-bit & 64-bit Windows 7 Enterprise and Ultimate Windows Server 2003 SP2 Windows Server 2003 R2 Windows Server 2008 Standard, Enterprise & Data Center #Itanium systems are not supported# Windows Server 2008 R2, SP1, SP2 Windows Storage Server 2008 R2 Windows Embedded/Thin systems based on Windows XP SP3 and Windows 7SCCM 2012 does have a few limitations you should understand if you decide to deploy it in your environment: Data Center editions of Windows are supported but are not certified for SCCM 2012# If there is a Data Center-specific problem that arises in SCCM 2012, Microsoft may not provide a fix# SCCMs new Application Catalog is not supported in Embedded versions of Windows# EndpointProtection is not supported with versions of WindowsEmbedded that are based on WindowsXP#Hardware requirementsOther requirementsBefore you install SCCM 2012, make sure that you also install the #NET Framework 4#0# This will probably require a restart of your system# #NET Framework 4#0 is not included in Windows Server yet, so youll need to download it from Microsoft#In addition to the #NET Framework 4#0, youll need to install the following role services and features from Server Manager: Remote Differential Compression Background Intelligent Transfer Service IIS WMI Compatibility Component You will most likely have to restart your computer after installing these components. In Figure 1, youll see an example of what it takes to install these prerequisite components.

Figure 1: Installing the SCCM 2012 prerequisite componentsSQL Server requirementsLike its predecessors, SCCM 2012 requires the use of a SQL Server-based data repository into which all SCCM data will be written. The following versions of SQL Server are supported for use with SCCM 2012: SQLServer2008 SP2 with Cumulative Update 9 SQLServer2008 SP3 with Cumulative Update 4 SQL Server 2008 R2 with SP1 Cumulative Update 6In addition, there are some other considerations to keep in mind with regard to SQL Server. SCCM 2012 requires a dedicated SQL Server instance that doesnt also house other application data. This doesnt mean that you need a separate, dedicated SQL Server just for Configuration Manager; you can simply add an instance to an existing SQL Server that you have running in your organization. If you choose to use a named instance of SQL Server rather than a default SQL Server instance, you must use the SQL Server Configuration Manager to configure the selected named instance to listen on port 1433. Whichever instance you choose to use for Configuration Manager must use case-insensitive collation .SQL_Latin1_General_CP1_CI_AS. Enable named pipes as a communications option on the SQL Server and the restart the SQL Server service. Add the computer account to the Local Administrators account in the intended SQL Server.Installation processTo get started with the main installation process, browse to the location to which you downloaded SCCM 2012 and double-click the splash.hta file. Click the Install option to get started.

Figure 2: The SCCM 2012 installation splash pageYoure next presented with a screen that provides loose prerequisite information. Theres not much to see here so just click the Next button to move on.

Figure 3: Prerequisite information regarding SCCM 2012For your initial installation, youre presented with a couple of options with regard to installation. First, you can choose to install a Primary Site Server. Or, you can choose to install a Central Administration site. If you choose to do a primary site server installation, you can also fast-track the process by selecting the checkbox next to Use typical installation options for a stand-alone primary site. In order to make sure you see all of the options, Im not going to take this easy route. Figure 4 gives you a look at the setup options.

Figure 4: Choose your setup optionIn Figure 5, youll see the next step in the installation process. This is a fun-filled page that asks you to provide your product key. Once youve done so, click Next to proceed.

Figure 5: Product key and license pageYou have to agree to the license terms as they appear in Figures 6 & 7. Figure 6 is the license agreement for SCCM 2012 while Figure 7 is a series of license agreements covering a number of the prerequisite components necessary for SCCM to operate. You must agree to all of the license terms in order to proceed.

Figure 6: License agreement

Figure 7: Component agreementsAs a part of the installation, the installer looks for updated prerequisites. In order to store these files, you must create a directory for this purpose. As you can see in Figure 8, I created a folder named c:\sccmdl and have specified this folder as the download destination. Ive already downloaded the necessary files.

Figure 8: Download updated prerequisite componentsBoth the SCCM server and the SCCM client software support multiple languages. On the next two screens of the installer, shown in Figures 9 and 10, youre asked to select the languages that youd like to have supported in your environment.

Figure 9: Select your server language options

Figure 10: Select your client language optionsIf youve used Configuration Manager in the past, the information requested on the Site and Installation Settings page .Figure 11. will be familiar. Here, youre asked to provide your Configuration Manager site code, site name and the location to which you want to install the product. Ive used a site code of SDL and have opted to install the Administrator Console.

Figure 11: Configure your site and installation settingsYou may be adding your new SCCM 2012 site to an existing Configuration Manager hierarchy. For this installation, I am installing a brand new SCCM 2012 site and have no plans to expand it, so Im going to install it as a standalone primary site.

Figure 12: What kind of site are you installing?When you make this selection, you receive a warning indicating that you cant join this site to a hierarchy later on. If this is ok, click Yes to continue.

Figure 13: A friendly reminderThe database server is an integral component in your SCCM infrastructure. Ive already installed SQL Server 2008 R2 SP1 with CU6 on the a separate server from SCCM 2012. On the screen shown in Figure 14, youll notice that Ive provided the name of my SQL server .SCCMSQL., the name of the database .CM_SDL. and a folder that will be used for SQL replication snapshot.If Id decided to use a SQL instance, I would have specified the database as instancename\CM_SDL instead. In my case, Ive decided to use the default instance.

Figure 14: Point the installer at your database serverIn most of its products, Microsoft offers to allow customers to join the Customer Experience Improvement Program. You arent provided with an opportunity to opt into this program. On this page, simply click Next to move on with the process after you make your selection.

Figure 15: Do you want to join the program?The next page of the installation wizard asks you to specify the server to which the SMS Provider will be installed. The SMS Provider is the component responsible for console to SCCM database communication. In Figure 16, youll see that Im installing the component to the server named SCCM2012.

Figure 16: Which server will hold the SMS Provider?In previous versions of SCCM, administrators had to make a choice between running their site in either Mixed or Native mode, with Native mode adding additional security. Native mode also required the use of a Public Key Infrastructure .PKI.. In SCCM 2012, Mixed and Native mode have been removed in favor of something a bit more flexible. Specifically, you now decide whether to use HTTP or HTTPS for client computer communication. For my purposes, Im going to allow clients to use HTTP but make use of HTTPS if its available and configured. In a later part in this series, well cover whats needed to make HTTPS work.

Figure 17: Specify the mode by which SCCM clients will communicateConfiguration Manager is made up of a number of components that can be distributed across multiple servers. In the case of the SCCM 2012 installation, youll note that you can install two roles during the installation process the management point role and the distribution point role.The management point role acts as the intermediary between SCCM clients and the SCCM site server. The distribution point role is used to store packages that are then distributed out to clients.On the screen shown in Figure 18, youll see that Ive decided to install both roles on the server named SCCM2012 and configured both services to communicate using HTTP.

Figure 18: Do you want to install these two site system roles?On the Settings Summary page .Figure 19., the installer follows up with a summary of all of the selections youve made throughout the process. Review your selections and click the Next button to continue.

Figure 19: Here's your installation summary pageOnce youve reviewed your settings, the installer reviews your system to ensure that it meets all of the requirements. If your system has warnings or errors, you will be notified so that action can be taken, if necessary.When youre done, youre told that the process was successful .hopefully!.. At this stage, you also have the option to launch the console right after the installation is complete.

Figure 20: The installation is completeSummaryAt this point, your new SCCM 2012 installation is complete and youre able to start investigating the new features and the console, which is exactly what well be doing in the next part of this article series.The consolePerhaps the most visible change to the SCCM 2012 administrative experience lies in the complete overhaul of the administrative console. Whereas even SCCM 2007 still carried remnants of the original SMS product, SCCM 2012 will never be mistaken for an older version. In all of the System Center 2012 products, Microsoft has implemented a consistent administrative experience, helping administrators more easily jump between the individual products in the suite. After all, you shouldnt need to learn a different administrative model for each part of a group of interrelated products.Even the consoles foundation has changed and no longer relies on the Microsoft Management Console framework. SCCM 2012 instead has its own model, which is based on that of Outlook, as you can see in the figure below.

Figure 1: The SCCM 2012 administrative consoleImmediately, the Outlook-like nature of the console becomes apparent. In the lower left corner of the screen, you can see a series of what Microsoft calls wunderbars, or distinct administrative areas of the product. Above that, there is the navigation area, which changes based on which wunderbar is active. At the very top of the screen is the now-familiar Ribbon, which has replaced Microsofts traditional menu-driven interfaces. Personally, as the Ribbon makes its way into more and more products, the more useful I find it.The balance of the screen is consumed by a large informational and detail area that shows information based on whatever is currently selected or the action thats underway. Because of this overhaul and due to Microsoft shifting elements around, SCCM 2012s interface enables administrators to take quicker reactive actions when things start to go south and also provides more proactive monitoring than was found in earlier versions of the software.A security overhaulAlthough its not as immediately obvious, the console has also undergone a complete security makeover. Gone are the days when primary sites defined security boundaries. This is a good thing! It allows administrators to drastically simplify their SCCM architecture. Now, rather than deploying a bunch of primary sites just to enable granular administration, you can use SCCM 2012s new Role Based Access Control function to achieve extremely granular administrative segregation.Role Based Access Control is found in many System Center 2012 products. In addition to restricting what users can do, it limits what users can see when theyre in the console. RBAC hides interface elements based on user profile so that the user is shown only what is relevant.Security in SCCM is controlled through the application of roles and scopes. A role defines what a user can do and a scope defines where a user can do it. When these two items are overlapped, youre left with a look at a users abilities in the SCCM console.SCCM ships with 14 predefined security roles, but administrators can create additional roles to meet unique business needs. During the initial installation of SCCM, the administrative account is added to the Full Administrators role. Heres a look at the list of roles available in SCCM 2012.Note:This information was pulled directly from the SCCM console.RoleRole description

Application AdministratorGrants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, and edit settings for user device affinity.

Application AuthorGrants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages.

Application Deployment ManagerGrants permissions to deploy applications. Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, and conditional delivery rules.

Asset ManagerGrants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.

Compliance Settings ManagerGrants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.

Endpoint Protection ManagerGrants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.

Full AdministratorGrants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.

Infrastructure AdministratorGrants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.

Operating System Deployment ManagerGrants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.

Operations AdministratorGrants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.

Read-only AnalystGrants permissions to view all Configuration Manager objects.

Remote Tools OperatorGrants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.

Security AdministratorGrants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.

Software Update ManagerGrants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).

Table 1As you can see from the table above, these roles all define what users that are members of the role can do. So, how do you control there where aspect?Thats where security scopes come into play. SCCM 2012 ships with two default security scopes: All. A built-in security scope that contains all securable objects. A Configuration Manager administrator associated with the All security scope will have the permissions of their role for every object in the Configuration Manager environment. Default. A built-in security scope with which securable objects can be associated.Neither of these security scopes can be changed or deleted.Appropriate objects in SCCM 2012 are tagged with security scopes and can be added to new security scopes, where necessary. This is how you can avoid having to create multiple primary sites to form security boundaries. Now, for example, you can simply change an existing sites security scope membership. To do so, right-click the site and, from the shortcut menu, choose Set Security Scopes. You can see this in Figure 2.

Figure 2: Changing a site's security scopeWhen the Set Security Scopes window appears, you will be shown a list of the security scopes that exist on the system. Note that there are two shown in Figure 3 Default and TEST, which I created.

Figure 3: The security scopes in my labThere are a number of different object types in SCCM 2012 that can be scoped in this way. So, a security scope secures based on a sort of instance element. You can also use collection limiting to further restrict what can be done.SummaryIts clear that Microsoft has gone to great lengths to simplify the SCCM administrative model. From redesigning the various System Center 2012 consoles to have a similar experience to implementing granular security controls that negate the need to create complex architectures in the name of security, SCCM 2012 is a major step in the right direction. In the next part of this series, we will continue to investigate SCCM 2012s new features.Discovery Discovery is an incredibly important process in SCCM. It is through discovery that you locate resources that can be brought into SCCM for management purposes. Further, some discovery methods enable the automatic creation of boundaries, virtual boxes in SCCM that help the system make sure that clients are managed appropriately.When an object is discovered, SCCM creates what is called a Discovery Data Record (DDR) that holds the details about the discovered object. This DDR will include information such as the computer name for a discovered computer or the user name for a discovered user account in Active Directory. These DDRs are processed by SCCM and entered into the SCCM database as objects that can be manipulated.In an out-of-the-box configuration, the only discovery method enabled by default is the heartbeat discovery method. In order to discover any other resources, an administrator must proactively decide which discovery methods to enable and then configure the selected methods.Beyond just using discovery to identify objects that can be managed with SCCM, you can also use discovered objects in queries that group similar objects for management purposes, thus further streamlining the desktop management process in your organization.Discovery optionsThere are a number of discovery options available in SCCM 2012. If youre used to older versions of SCCM, get used to some changes, too, as new methods have been introduced and some removed.Among the changes: Active Directory System Group Discovery is no longer available. A new discovery method named Active Directory Forest Discovery has been added. This new discovery method is described later in this article. Discovery information in one site is replicated to other sites using SCCM 2012s new database replication processes. The Active Directory Security Group Discovery method is now known as Active Directory Group Discovery. Further, this discovery method has been improved and can now discover the group memberships of discovered resources. Some Active Directory discovery methods (User, System, Group) now support Delta Discovery. Delta discovery itself is improved in SCCM 2012 and is a method by which discovery can locate just objects that have been added or changed since the previous discovery cycle.Now, lets explore each of the discovery options that are available to you.Active Directory Forest DiscoveryThis discovery method discovers forests, domains, AD sites, and IP subnets. Its a high level method that is new to SCCM 2012. Objects discovered using this method can be used to automatically create boundaries, which we will cover later.For each discovery method, there are settings that can be manipulated, which control how the discovery method works. In Figure 1, the very few settings that are available for Forest discovery are displayed.

Figure 1: Forest discovery optionsNote that this discovery method is enabled. Ive enabled it for use in my lab, but, be default, its not enabled.Once enabled, there are additional options you can configure. You can tell Configuration Manager that you would like to have boundaries automatically created based on any discovered Active Directory sites and you can do the same, but based on IP address ranges/IP subnets. Boundaries are used by SCCM to localize client management.Finally, you can configure discovery to run every so often so that it can discover new resources that might make their way into the environment. The default for Active Directory Forest Discovery is to run every week.Active Directory Group DiscoveryDiscovers Active Directory groups and group membership or computers and users. With this discovery method, you can also discover limited information about group member computers and users. Because this discovery method isnt as robust as other methods, its recommended that you not run this discovery method until after youve run either System or User discovery. Those two methods can create full Discovery Data Records for users and computers while Group discovery creates a much more limited DDR.Group discovery is not enabled by default and you need to provide a scope in which SCCM should look for new group resources.

Figure 2: Group discovery optionsWhen you choose the Add option, you can add an AD location that SCCM will use to look for new groups. This screen is shown in Figure 3.

Figure 3: Add an AD locationYou can also explicitly add Active Directory groups that SCCM will parse to discover group members. In Figure 4, the Add Groups window is shown. Here, you would provide the name for an AD group and let SCCM do the rest.

Figure 4: Add an Active Directory groupAs was the case for Forest discovery, Group discovery can be configured to run periodically in order to discover new resources. By default, this discovery method runs every 7 days, as you can see in Figure 5. In Figure 6, Ive also included the Custom Schedule window so that you can see the options that you have at your disposal for creating a discovery schedule.In Figure 5, note also the Enable delta discovery option. When this is enabled, which is the default setting, new resources that have been added or modified since the previous discovery will be discovered and added to or updated in the SCCM database.

Figure 5: Group discovery polling schedule

Figure 6: Create a custom scheduleThe Group discovery method also carries with it some additional options, which are shown in Figure 7. You can choose to have computers discovered only if they have logged in within, for example, the past 90 days. Remember, once a group is discovered, the members of that group are also discovered and computers can be members of groups, hence the computer login option.You can also choose to include only computers that have had their password updated within a certain period of time and can specify that Group discovery should also attempt to discover the membership of distribution groups rather than just security groups.

Figure 7: Group discovery additional optionsActive Directory System DiscoverySystem discovery is one of the two possible discovery methods (the other being Network Discovery) that you might use to discover client computers in the environment and to which the SCCM client might be installed. System discovery discovers a number of details about systems, including: Computer name Operating system and version Active Directory container name IP address Active Directory site Last Logon TimestampSystem discovery is one of the most common methods that you will use. As is the case for most of the discovery methodswith the only exception being Heartbeat discoverythe administrator must proactively enable the discovery option. With System discovery, the administrator also needs to specify the Active Directory container that should be searched for new system resources. In my example, Im searching at the root and have enabled recursion so that SCCM will be able to look in subcontainers, too.

Figure 8: System discovery settingsWith the System discovery method, you can also tell SCCM to retrieve additional Active Directory attributes for discovered resources. You might want to gather additional information to use in queries, for example.

Figure 9: System discovery additional Active Directory attributesAs was the case with Group discovery, System discovery also provides you with some additional configuration options, which are shown in Figure 10.

Figure 10: System discovery additional optionsActive Directory User DiscoveryThis discovery method discovers user objects from Active Directory. Again, you need to enable the discovery method and specify Active Directory containers that should be searched for new user objects.

Figure 11: User discovery settingsTheres not much else to say about User discovery. The other tabs Polling Schedule and Active Directory Attributes are the same as tabs that weve seen in other discovery methods.Network DiscoverySometimes, you might have network objects that cant be discovered via Active Directory discovery methods. The Network Discovery option allows you to go directly to the network to find new objects, such as computers, printers and network devices. Network discovery does have some downsides, though. Its quite noisy meaning that it generates a lot of network traffic and can be extremely resource intensive. As such, you should use other discovery methods before resorting this one.That said, you sometimes have to use Network Discovery. You may have systems that arent in Active Directory, such as workgroup computers, switches and other network devices.In Figure 12, you can see the general options that are available, including the ability to enable the discovery method. You will also see that there are three options available in the Type of discovery area: Topology. Discovers network topology by discovering subnets and routers. Topology and client. Adds to the mix by discovering clients. Topology, client and client operating system. Takes things a step further by attempting to also determine the client operating system and version.

Figure 12: Network discovery general settingsEvery network has subnets. In this spirit, SCCM provides you with a way to tell SCCM which subnets should be searched for resources (Figure 13). My lone subnet in my lab is 192.168.0.0/16.

Figure 13: Network discovery subnetsLikewise, you can tell SCCM to look in a domain.

Figure 14: Network discovery domain settingsFor SNMP devices, you need to tell SCCM about any community names that you might be using in your environment. As you can see in Figure 15, my lab domain uses the default of public as an SNMP community name.

Figure 15: Network discovery SNMP community namesYou can also indicate to SCCM specific SNMP devices that should be used to discover resources.

Figure 16: Network discovery SNMP devicesIf you are using Microsofts DHCP server in your environment, you can leverage that system to enable SCCM to use it to discover resources that can be brought into SCCM for management. Im not using a Microsoft DHCP server in my lab, so I cannot test this scenario right now.

Figure 17: Network discovery DHCP featuresHeartbeat DiscoveryHeartbeat discovery is different from all of the other discovery methods in that it doesnt actually discovery any new resources at all. Instead, heartbeat discovery is a client-initiated process that informs SCCM that the client is still alive and kicking.You can see in Figure 18 that there are just two options for Heartbeat discovery. Do you want to enable this discovery method and how often should clients check in?

Figure 18: Heartbeat discovery optionsSummaryDiscovery is a foundation SCCM process. Its absolutely required in order for you to move forward with your use of the product. In this article, you learned about the various discovery options at your disposal. In the next part of this series, well continue implementing SCCM 2012.Client SettingsClient settings are a crucial aspect of System Center Configuration Manager 2012. In older versions of SCCM, these were called client agents, but they still serve the same purpose in SCCM 2012. These settings control how the managed clients in SCCM 2012 will operate. In this article series, well go through each and every client setting and explain in detail the parameters that you can adjust.Background Intelligent TransferBackground Intelligent Transfer Service (BITS) is a Windows service that

Figure 1: Background Intelligence Transfer Service settings Limit the maximum network bandwidth for BITS background transfers. Limits the amount of bandwidth that BITS will use for background transfers. This can be useful in slow link scenarios or when bandwidth is at a premium. Throttling window start time. Provide the time of day at which throttling should start. Throttling window end time. Provide the time of day at which throttling should cease. Maximum transfer rate during throttling window (Kbps). Determine the maximum transfer rate that is allowed during the throttling window. For example, 1 Mb would be 1,000 Kb. Allow BITS downloads outside the throttling window. Decide whether or not BITS transfers are allowed outside the defined throttling window. Maximum transfer rate outside the throttling window (Kbps). Determine how fast transfers can take place outside the throttling window.Client PolicyThink of the client policy as a meta policy. This is the policy that determines how clients will handle receiving and updating their individual policies. The configuration for this client setting is pretty important as other SCCM functions often require machines to retrieve an updated client policy before they can work their own magic.

Figure 2: Client Policy settings Client policy polling interval (minutes). This value indicates to SCCM the interval by which clients should check in with the SCCM server to retrieve any policy updates that may have been made since the last check in. Enable user policy polling on clients. When SCCM is appropriately configured, enabling this parameter users logged in to managed clients are able to have programs targeted at them. Note that disabling this parameter will mean that applications targeted at users will not be deployed, even if they are required, and users may not see applications in the Application Catalog. Enable user policy requests from Internet clients. For sites that support Internet clients, when this parameter is set to True, endpoints on the Internet will receive both machine and user policy updates.Compliance SettingsCompliance Settings are an updated form of Desired Configuration Management, which was included in older versions of SCCM. With Compliance Settings, administrators can determine when a managed client has deviated from established baselines.

Figure 3: Compliance settings Enable compliance evaluation on clients. Decide whether or not clients will use their compliance evaluation capabilities. Schedule compliance evaluation. Determine the schedule by which compliance evaluation should take place.Computer AgentThe computer agent is another set of settings that are pretty core to how SCCM manages clients. The items here define some general settings that dictate how a wide swath of SCCM functionality will operate.

Figure 4: Computer Agent settings Deployment deadline greater than 24 hours, remind user every (hours). When a software deployment action is pending and is more than 24 hours out, choose the interval by which users will be reminded about the deployment. Deployment deadline less than 24 hours, remind user every (hours). For deployments that have a deadline that takes place within the next 24 hours, notify users about the deployment every X number of hours. Deployment deadline less than 1 hour, remind user every (minutes). Likewise, for deadlines in the next hour, choose the interval (in minutes) by which users should be notified of the deployment. Default Application Catalog website point. Define the address at which the client can find the Application Catalog. By default SCCM clients are configured to automatically detect the Application Catalog. Administrators can choose instead to force clients to use an automatically created intranet fully qualified domain name or the NetBIOS name for the server holding the Application Catalog. Administrators may choose instead to specify a custom URL. Add default Application Catalog website to Internet Explorer trusted sites zone. By setting this option to True, an administrator can direct clients to ensure that IE protected mode doesnt interfere with a client attempting to browse to the Application Catalog. Organization name displayed in Software Center. The Software Center is a part of a client installation and is one of the locations at which users can choose to install software that has ben deployed. This client setting is often populated with the name of the company. Install permissions. Specifies the users that are allowed to start the installation of deployed software. All Users. Any user logged in to a managed client can initiate a deployed software installation. Only Administrators. Only users that are members of the local administrators group can initiate a software installation. Only Administrators and primary users. This is the same as the previous option with one exception. If the device has been associated with a user through user/device affinity, the primary computer user can also initiate a software installation. No Users. Users can never initiate software installations. Only software marked as required will be installed. Suspend BitLocker PIN entry on restart. If a software installation requires a reset, should any configured BitLocker PIN be respected (Never) or should it be skipped (Always)? If the PIN is not suspended, the software installation process may await a users input of the PIN before proceeding. Agent extensions manage the deployment of applications and software updates. This setting should never be enabled unless you are using a third party software deployment solution that requires it. Enabling this setting can break SCCM 2012s ability to deploy software. PowerShell execution policy. If a deployment uses PowerShell, setting this option to Bypass overrides a clients configured PowerShell execution policy, which may be set to Restricted. Show notifications for new deployments. Enables or disables the display of new deployment notifications to a user.Computer RestartIf SCCM initiates an action that requires a computer restart, the settings here help to define what will happen when that restart takes place. After all, you dont want users to just have their PC all of a sudden restart with no warning whatsoever. That would result in lost work and a frustrated user base!

Figure 5: Computer Restart settings Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes). The user is able to close this window and continue working, but the countdown to restart continues for the interval shown. Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes). This is where SCCM means business. The user cannot close the display window and the countdown continues.SummaryAs you can probably see, there are a number of options associated with each client setting. Administrators can adjust these options to control client behavior in the environment. In the next part of this series, well continue our look at client settings.Client SettingsClient settings are a crucial aspect of System Center Configuration Manager 2012. In older versions of SCCM, these were called client agents, but they still serve the same purpose in SCCM 2012. These settings control how the managed clients in SCCM 2012 will operate. In this article series, well go through each and every client setting and explain in detail the parameters that you can adjust.Endpoint ProtectionIn previous versions of SCCM, adding support for what used to be called Forefront Endpoint Protection involved a series of steps that extended SCCM to be able to act as the central monitoring host for the Forefront Endpoint Protection antimalware tool. In SCCM 2012, support for the renamed System Center Endpoint Protection antimalware tool is built right into the product and there is a client setting providing administrators with a means to control how the Endpoint Protection installation will take place.

Figure 6: Endpoint Protection settings Manage Endpoint Protection on client computers. Selecting this option indicates that you wish to centrally manage Endpoint Protection from within the SCCM console. Install Endpoint Protection client on client computers. If System Center Endpoint Protection is not yet installed, changing this option to True will install Endpoint Protection on client computers. Automatically remove previously installed antimalware software before Endpoint Protection is installed. Endpoint Protection has the ability to uninstall some third party antimalware tools, including: Symantec AntiVirus Corporate Edition version 10 Symantec Endpoint Protection version 1 Symantec Endpoint Protection Small Business Edition version 12 McAfee VirusScan Enterprise version 8 Trend Micro OfficeScan Microsoft Forefront Codename Stirling Beta 2 or Beta 3 Microsoft Forefront Client Security v1 Microsoft Security Essentials v1 or 2010 Microsoft Forefront Endpoint Protection 2010 Microsoft Security Center Online v1 Suppress any required computer restarts after the installed Endpoint Protection client is installed. The Endpoint Protection installation does not respect maintenance windows established for clients. Therefore, if the Endpoint Protection installation requires a system restart, the system will restart at any time of day. To prevent this, enable this option. Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours). If the previous option is set to False, administrators can allow users to postpone a restart for a number of hours configured here. Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers. The initial Endpoint Protection deployment can be an impactful event since the software needs to be deployed and new definitions downloaded immediately. You can configure this option to reduce the overall impact by forcing clients to use just the SCCM server for initial definition updates.Hardware InventoryThe hardware inventory client setting controls how clients perform local hardware inventories and submit the information back to SCCM. Before discussing the hardware inventory, make sure you understand what is meant by the term MIF file.Management Information Files (MIF) are used by SCCM and clients to exchange hardware information. Administrators can extend SCCMs hardware collection capabilities by using MIF files to supplement what SCCM captures by default. However, you can also use the SCCM client settings configuration area to extend the information that SCCM captures by default.To learn more about MIF, visit this page.

Figure 7: Software Inventory settings Enable hardware inventory on clients. Directs clients to begin collecting local hardware information based on information configured here. Hardware inventory schedule. How often should a client perform a hardware scan and return information to an SCCM server? Maximum custom MIF file size (KB). A range of 1 KN to 5,000 KB is required here. This field indicates the maximum MIF file size that SCCM will process. If a file is returned from a client and its larger than this setting, the file will be ignored. Hardware inventory classes. Administrators can choose to collect all kinds of information from client hardware. You can see some of these in the screenshot above. Simply select the hardware classes that youd like to collection. The next time that the client performs a policy retrieval, it will be updated to include the new classes. Collect MIF files. None. Do not collect any MIF files from clients. Collect IDMIF files. IDMIF files are ones that contain inventory information from devices that are not managed by Configuration Manager. Select this option to collect IDMIF files from clients. Collect NOIDMIF files. NOIDMIF files are ones that contain hardware information that cant be inventoried directly by Configuration Manager. Select this option to collect NOIDMIF files from clients. Collect IDMP and NOIDMIF files. Collect both kinds of files from clients.Network Access Protection (NAP)The Network Access Protection client agent scans a local machine and sends the results of the scan to a System Health Validator Point. This SCCM capability requires that organizations have an existing Network Access Protection architecture already in place. Systems that do not comply with baselines may not be able to connect to the network until the situation is remediated.

Figure 9: Network Access Protection settings Enable Network Access Protection on clients. When enabled, client software updates are scanned and the results sent to a System Health Validator Point (SHVP). Use UTC (Coordinated Universal Time) for evaluation time. Indicate whether local time and UTC time should be used for evaluation. Require a new scan for each evaluation. A False setting allows a client to return to the SHVP the cached result from the most recent scan while a True setting requires a new and current full scan. NAP re-evaluation schedule. Determines how often the clients status should be re-evaluated.Power ManagementPower management capabilities were added to SCCM in a recent edition of a previous version, but theyre included in full force in SCCM 2012. Power management can be used to create policies, which, once applied to clients, can begin to save the company money.

Figure 10: Power Management settings Allow power management of devices. Allows SCCM to manage power settings in managed devices. Allow users to exclude their device from power management. SCCM is a user-focused product. As such, administrators can choose to allow users to opt out of centrally-enforced power management by changing this setting to True.SummaryAs you are continuing to see, there are a number of options associated with each client setting. Administrators can adjust these options to control client behavior in the environment. In the next part of this series, well continue our look at client settings.Client SettingsClient settings are a crucial aspect of System Center Configuration Manager 2012. In older versions of SCCM, these were called client agents, but they still serve the same purpose in SCCM 2012. These settings control how the managed clients in SCCM 2012 will operate. In this article series, well go through each and every client setting and explain in detail the parameters that you can adjust.Endpoint ProtectionIn previous versions of SCCM, adding support for what used to be called Forefront Endpoint Protection involved a series of steps that extended SCCM to be able to act as the central monitoring host for the Forefront Endpoint Protection antimalware tool. In SCCM 2012, support for the renamed System Center Endpoint Protection antimalware tool is built right into the product and there is a client setting providing administrators with a means to control how the Endpoint Protection installation will take place.

Figure 6: Endpoint Protection settings Manage Endpoint Protection on client computers. Selecting this option indicates that you wish to centrally manage Endpoint Protection from within the SCCM console. Install Endpoint Protection client on client computers. If System Center Endpoint Protection is not yet installed, changing this option to True will install Endpoint Protection on client computers. Automatically remove previously installed antimalware software before Endpoint Protection is installed. Endpoint Protection has the ability to uninstall some third party antimalware tools, including: Symantec AntiVirus Corporate Edition version 10 Symantec Endpoint Protection version 11 Symantec Endpoint Protection Small Business Edition version 12 McAfee VirusScan Enterprise version 8 Trend Micro OfficeScan Microsoft Forefront Codename Stirling Beta 2 or Beta 3 Microsoft Forefront Client Security v1 Microsoft Security Essentials v1 or 2010 Microsoft Forefront Endpoint Protection 2010 Microsoft Security Center Online v1 Suppress any required computer restarts after the installed Endpoint Protection client is installed. The Endpoint Protection installation does not respect maintenance windows established for clients. Therefore, if the Endpoint Protection installation requires a system restart, the system will restart at any time of day. To prevent this, enable this option. Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours). If the previous option is set to False, administrators can allow users to postpone a restart for a number of hours configured here. Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers. The initial Endpoint Protection deployment can be an impactful event since the software needs to be deployed and new definitions downloaded immediately. You can configure this option to reduce the overall impact by forcing clients to use just the SCCM server for initial definition updates.Hardware InventoryThe hardware inventory client setting controls how clients perform local hardware inventories and submit the information back to SCCM. Before discussing the hardware inventory, make sure you understand what is meant by the term MIF file.Management Information Files (MIF) are used by SCCM and clients to exchange hardware information. Administrators can extend SCCMs hardware collection capabilities by using MIF files to supplement what SCCM captures by default. However, you can also use the SCCM client settings configuration area to extend the information that SCCM captures by default.To learn more about MIF, visit this page.

Figure 7: Software Inventory settings Enable hardware inventory on clients. Directs clients to begin collecting local hardware information based on information configured here. Hardware inventory schedule. How often should a client perform a hardware scan and return information to an SCCM server? Maximum custom MIF file size (KB). A range of 1 KN to 5,000 KB is required here. This field indicates the maximum MIF file size that SCCM will process. If a file is returned from a client and its larger than this setting, the file will be ignored. Hardware inventory classes. Administrators can choose to collect all kinds of information from client hardware. You can see some of these in the screenshot above. Simply select the hardware classes that youd like to collection. The next time that the client performs a policy retrieval, it will be updated to include the new classes. Collect MIF files. None. Do not collect any MIF files from clients. Collect IDMIF files. IDMIF files are ones that contain inventory information from devices that are not managed by Configuration Manager. Select this option to collect IDMIF files from clients. Collect NOIDMIF files. NOIDMIF files are ones that contain hardware information that cant be inventoried directly by Configuration Manager. Select this option to collect NOIDMIF files from clients. Collect IDMP and NOIDMIF files. Collect both kinds of files from clients.Network Access Protection (NAP)The Network Access Protection client agent scans a local machine and sends the results of the scan to a System Health Validator Point. This SCCM capability requires that organizations have an existing Network Access Protection architecture already in place. Systems that do not comply with baselines may not be able to connect to the network until the situation is remediated.

Figure 9: Network Access Protection settings Enable Network Access Protection on clients. When enabled, client software updates are scanned and the results sent to a System Health Validator Point (SHVP). Use UTC (Coordinated Universal Time) for evaluation time. Indicate whether local time and UTC time should be used for evaluation. Require a new scan for each evaluation. A False setting allows a client to return to the SHVP the cached result from the most recent scan while a True setting requires a new and current full scan. NAP re-evaluation schedule. Determines how often the clients status should be re-evaluated.Power ManagementPower management capabilities were added to SCCM in a recent edition of a previous version, but theyre included in full force in SCCM 2012. Power management can be used to create policies, which, once applied to clients, can begin to save the company money.

Figure 10: Power Management settings Allow power management of devices. Allows SCCM to manage power settings in managed devices. Allow users to exclude their device from power management. SCCM is a user-focused product. As such, administrators can choose to allow users to opt out of centrally-enforced power management by changing this setting to True.SummaryAs you are continuing to see, there are a number of options associated with each client setting. Administrators can adjust these options to control client behavior in the environment. In the next part of this series, well continue our look at client settings.Adding the management packOne great feature of Operations Manager is its extensibility. Through the addition of management packs, which are often free, you can massively extend the breadth and depth of the product and add to it the ability to monitor just about everything in your environment.To get started, we need to add management packs that enable the discovery of Active Directory domain controllers. Navigate to the Administration workspace. Expand Administration > Device Management and choose Management Packs. Right-click Management Packs and from the shortcut menu, choose Import Management Packs.

Figure 1: Choose Import Management PacksWhen the Import Management Packs window appears, click the Add button and choose Add from catalog. The catalog is a central repository of management packs that Microsoft keeps updated and that contains, literally, hundreds of management packs that you can use.

Figure 2: Add a management pack from the catalogBecause there are so many management packs from which to choose, you can narrow down your parameters by searching for management packs that match your needs. In Figure 3, Ive searched for Active Directory since Im interested in monitoring domain controllers. Note that there are four management packs returned that I need.

Figure 3: Select the management packs you wish to installYou will note in Figure 4 that there are some issues with the selections previously made. Another great thing about Operations Manager presents itself here. If there are additional management packs upon which your selected management packs depend, youre notified of this fact and given an opportunity to resolve the issue. To add dependency management packs, click the Resolve button next to each listed item.

Figure 4: Satisfy management pack dependenciesWhen you click the Resolve button, youre told which management pack is necessary to satisfy the dependency, as shown in Figure 5. Again, click the Resolve button to validate the selection.

Figure 5: The management pack that needs to be addedYou will continue this process until there is nothing in the Status column. In Figure 6, note that three management packs have been added to satisfy dependencies.

Figure 6: Everything checks out nowOnce you click the Install button, the selected management packs are downloaded and imported into Operations Manager.

Figure 7: The selected management packs are being installedMonitor Active DirectoryThis is the point at which patience is a virtue as it can take Operations Manager a little while to discover the domain controller role that might exist on managed systems. However, you will immediately notice that some new items are added to the Monitoring workspace.

Figure 8: An Active Directory entry now appears in the Monitoring workspaceWell go through each of these items below.DC Active AlertsBearing in mind that the alerts that youre seeing are from a test lab, the DC Active Alerts section displays any Operations Manager alerts that are raised by monitoring rules in the newly installed management pack. In Figure 9, you can see these alerts shown on the screen. One of the critical alerts is selected and you can see some additional details about the alert.

Figure 9: DC Active AlertsYou can get additional information about the alert by opening its properties page, which is shown in Figure 10. Ive shown an additional screen of information in Figure 11, which shows you quite a bit more detail about a different alert.

Figure 10: Additional information about the alert

Figure 11: Information about a separate alertDC EventsThe alerts that were shown in the previous section are the ones raised by virtue of rules in the management pack that was installed. However, theyre only a part of the bigger picture when it comes to troubleshooting Active Directory domain controllers. The old standbythe Windows Event Logstill contains a lot of information. The management pack that we just installed pulls AD-related events for your perusal and, when combined with the other data sources, provides you with a bigger picture view of the environment.

Figure 12: Events from the event logDC Performance DataThe newly installed management pack adds to the monitored system a number of performance gathering features that you will see in action. In Figure 13 below, you can see a graph that shows a single statistic on display for a particular time period. This information is constantly gathered so you can gain some insight into how a particular aspect of the monitored item is performing. If you want to see information about something else, simply select the checkbox in the Show column for the statistic youd like to see.

Figure 13: A performance graphDC StatePerhaps the most important piece of information you need to know is whether or not your domain controllers are operational or if theyre experiencing serious issues. The DC State area gives you a look at the domain controllers in your environment and identifies their state. This is shown in Figure 14.

Figure 14: The domain controller stateIf you do have a domain controller in a critical state, you need to understand exactly whats going on. You can use the Health Explorer to accomplish this task. Simply right-click the state area and choose to open the Health Explorer. In Figure 15, you can see exactly which rule is not working and when it went bad.

Figure 15: The Health ExplorerDC Server 2008 entriesThese are pretty much repeats of what we just saw, but will show just Windows Server 2008 domain controller information.AD DIT/Log Free SpaceActive Directory servers need to have enough disk space to store log files. This graph displays how much space is available on the file on the drive on which the log files are stored, which is generally the system drive. The value shown on the Y axis is in bytes.

Figure 16: The amount of free space on the log file driveAll Performance DataIf youre looking for something a bit more granular, you can choose whatever performance statistics youd like to see graphed by selecting that graph from the All Performance Data section.

Figure 17: Choose a graph... any graphDatabase and Log OverviewNot every option here displays a single graph. The Database and Log Overview section displays information pertinent to the database and log files themselves. There is less clutter here, making it easier for the administrator to get necessary details for corrective purposes.

Figure 18: AD database and log informationDatabase SizeThis graph displays the current size of the AD database. Note that only one domain controller is available for selection because only one DC in my lab domain currently has the SCOM client installed on it. If I add the second DC, it will become available as a selection.

Figure 19: Database size detailsDC OS Metrics OverviewAs was the case with the database and log file section before, this section allows you to see information about the status of some key metrics important in managing Active Directory. In Figure 20, you can see how much RAM is available and how much is committed and you also get information about the Local Security Authority Subsystem Service (LSASS).

Figure 20: More pertinent rollup informationDC Response TimeA domain controller that isnt responsive will result in users calling the help desk complaining about poor performance. You can see how quickly your domain controllers are responding to user requests using the graph below.

Figure 21: Domain controller response timeDC/GC ResponseThat single graph showing DC response time may not be enough. You may also want to see how quickly your global catalog servers are responding. You can see both stats on this page.

Figure 22: DC/GC response timeGC Response TimeAnd, if you want to see just global catalog information, you can do so on the GC Response Time page, shown in Figure 23.

Figure 23: Global catalog response timeLog File SizeYou saw log file size information earlier, but this is a page with just that information displayed.

Figure 24: Current log file sizeLSASS Processor TimeThe Local Security Authority Subsystem Service is responsible for enforcing the security policy on the system and it can eat up a lot of processor capacity. If it does, it can result in poor performance. In Figure 25, you can see granular information for how much processor time is being used by this service.

Figure 25: LSASS statisticsMemory MetricsYou saw memory information displayed earlier on one of the aggregate graphs. Here, you can see just memory statistics related to your domain controller.

Figure 26: Memory statsOpMaster PerformanceFinally, you can get some information about the performance of your domains operations master, shown below in Figure 27.

Figure 27: OpMaster performance graphSummaryAnd that, folks, is the Active Directory management pack for SCOM 2012. As you can see, it adds a ton of information to the SCOM framework and allows administrators to delve deeply into systems to see what is happening under the hood.Using Health ExplorerBefore you attempt to customize a management pack, lets first take a look at some of the methods by which you can gain granular knowledge regarding the state of your existing environment.This is where the Operations Manager Health Explorer comes in handy.With this tool, you can get at a glance status for every monitored item in the environment. To access the Health Explorer, from the Monitoring area, right click one of the health indicators and, from the shortcut menu, choose Open > Health Explorer. See Figure 1 for a look at how this should appear in your environment.

Figure 1: Open the Health ExplorerOnce you open the Health Explorer, youll see a screen like the one shown in Figure 2. Believe it or not, you want to see as little as possible on this screen.By default, along with the primary health of the entity, only unhealthy child items are displayed.So, since there is nothing wrong with this server at present, you see a green circle with checkmark indicating that the entity is health. Immediately above that, you will see a yellowish bar that reads Scope is only unhealthy child monitors.Basically, this means that SCOM is going to display only those metrics that are not in alignment with their established parameters. To show everything click the X in the yellow bar.

Figure 2: You are first presented with (hopefully) very little information abut the selected entityOnce you click the X, youre shown everything there is to see with regard to this entity (Figures 3 and 4).You can see that I have expanded the Entity Health nodes until Logical Disk Free Space (C:) was visible.By clicking on that metric, Operations Manager now displays a whole lot of information about the selected metric.In this case, youre shown knowledge about Drive C: on the selected server. Knowledge is information that is included in the management pack to help administrators identify and correct issues that may arise in the environment.What you will notice immediately is that the Knowledge pane also provides you with the point at which Operations Manager determines that the selected disk drive is too low on disk space. Further, you will see that there are two different criticality levels: Warning.A warning will be raised on the C: drive when it gets below either 500 MB of free space or when it goes below 10% of available space. Error.An error will be raised on the C: drive when it gets below either 300 MB of free space or when it goes below 5% of available space. For a system drive, the parameters are a little more restrictive: Warning. A warning will be raised on the C: drive when it gets below either 2 GB of free space or when it goes below 10% of available space. Error.An error will be raised on the C: drive when it gets below either 1 GB of free space or when it goes below 5% of available space.

Figure 3: Information about the free space available on drive C:

Figure 4: More information about the C: driveNote also that the Knowledge tab provides you with a list of potential causes for a warning or error along with possible resolutions.While the resolution for correcting a disk space issue is pretty simple, when it comes to resolving more complex issues, the cause and resolution sections of the knowledge tab can be extremely valuable.Get yet more informationThe information youre shown in the main screen is just the beginning.To see extremely detailed information about the monitored item, click the Properties button in the menu bar.This opens the General tab that you see below in Figure 5.The General tab provides the name of the monitor as well as a description of such. It also identifies the management pack from which the monitor originates and tells you the kind of resource that is targeted by the monitor. Finally, youre told to which parent monitor the monitor rolls up.If the C: drive shows a warning or error, then the main Availability monitor for the server will also show a warning or error state.

Figure 5: General information about the monitorOn the schedule tab, youre able to see how often the monitor is configured to gather information to be reported back to Operations Manager.In Figure 6, you can see that information is gathered, by default, every 15 minutes.

Figure 6: The interval at which the information is gatheredThe next few tabs are like the one shown in Figure 7 and provide you with a way to see the levels at which a warning or error alert will be raised.You saw these values earlier, so I wont repeat them here.

Figure 7: The percentages that you saw earlierThe Health tab allows you to see which statuses trigger which health states.

Figure 8: The health status that will be set on a per monitoring condition basisWhen the monitored item enters a state that requires a warning or error to be issued, an alert is raised in the Operations Manager console. The Alerting tab is the place to go to see what the text of this message will look like.Further, on this tab, you can see the default priority level for the alert.

Figure 9: The text of the alert that will be raised for this itemWhen used properly, the Diagnostics and Recovery tab can be used to automate the resolution to a problem.For disk space, issue, however, you dont want the system to automatically delete files, so no actions are listed.

Figure 10: Actions that will be taken to attempt diagnostics and recovery related to the monitorOnce you close the Properties windows. Click OK to go back to the view of the monitor and choose the State Change Events tab.You will see a screen like the one shown in Figure 11. This screen lets you know the date and time at which an alert condition is raised. This can aid response and help you more quickly understand when something went wrong and streamline your support efforts.

Figure 11: State Change Events tabSummaryThats a look at how you can manage monitors in SCOM 2012.The Health Explorer powerful insights about the health of your system. You may be wondering how you can change these metrics since they were all grayed out.That is the topic for the next part of this series.