SCCM2012-DesignQuestions

System Center 2012 Configuration Manager

Design Questionnaire

Prepared forClient

Client Contact NameClient Contact Email

Client Contact Phone

Prepared byRFL Systems Ltd

http://www.rflsystems.co.ukRaphael Perez

Document InformationStatus

Document Status Information

Document Version 0.1Version Date October 2012Created By Raphael PerezReviewed ByReleased byRelease Date

Document Location

This document is a snapshot of an online document that can be found at http://bit.ly/RcjtZk.

Change History

Version Date Author Revision Description

0.1 19/10/2012 RP Initial Version

Approvals

This document was approved by:

Version Date Name Title

Distribution

This document must be distributed to:

Version Name Title

http://bit.ly/RcjtZk

Contents

Introduction...........................................................................................................................................5

Design Process.......................................................................................................................................5

Define the Project Scope.......................................................................................................................6

Determine Which Features This Project Will Address.......................................................................6

SCCM Infrastructure..............................................................................................................................8

Questionnaire....................................................................................................................................8

Inventory...............................................................................................................................................9

Questionnaire..................................................................................................................................10

Hardware Inventory.....................................................................................................................10

Software Inventory......................................................................................................................10

Asset Intelligence.........................................................................................................................10

Software Distribution..........................................................................................................................10

Questionnaire..................................................................................................................................11

Software Updates................................................................................................................................11

Questionnaire..................................................................................................................................11

Application Virtualization....................................................................................................................13

Questionnaire..................................................................................................................................13

Software Metering...............................................................................................................................13

Questionnaire..................................................................................................................................13

Settings Management..........................................................................................................................14

Questionnaire..................................................................................................................................14

Network Access Protection..................................................................................................................14

Questionnaire..................................................................................................................................15

Wake On Lan and Power Management...............................................................................................15

Questionnaire..................................................................................................................................15

Out of Band Management...................................................................................................................15

Questionnaire..................................................................................................................................15

Remote Tools.......................................................................................................................................16

Questionnaire..................................................................................................................................16

Operating System Deployment............................................................................................................16

Questionnaire..................................................................................................................................17

User State Migration...........................................................................................................................18

Questionnaire..................................................................................................................................18

Security................................................................................................................................................19

Questionnaire..................................................................................................................................19

Remote Consoles.................................................................................................................................19

Questionnaire..................................................................................................................................19

Discovery.............................................................................................................................................19

Questionnaire..................................................................................................................................20

Mobile Device Management...............................................................................................................22

Questionnaire..................................................................................................................................22

Client Installation.................................................................................................................................23

Questionnaire..................................................................................................................................24

Endpoint Protection............................................................................................................................25

Questionnaire..................................................................................................................................25

IntroductionThis guide leads the reader through the process of planning a System Center Configuration Manager infrastructure.

The guide addresses the following fundamental decisions and tasks:

Identifying which SCCM capabilities will be needed. Designing the components, layout, security, and connectivity of the SCCM infrastructure. Designing the components and the dependencies that are required

Business objectives should be prioritized at the start of the project so that they are clearly understood and agreed on by IT and business managers.

Following this guide should result in a design that is sized, configured, and appropriately placed to deliver the stated business benefits, while considering the user experience, security, manageability, performance, capacity, and fault tolerance of the system.

The guide addresses the scenarios most likely to be encountered by someone designing a SCCM infrastructure.

Please note that the terms System Center Configuration Manager, ConfigMgr, Configuration Manager, CM and SCCM all refer to the same Microsoft product, and the terms are used interchangeably.

Design ProcessThis guide addresses the following decisions and activities that must occur in planning the design for SCCM. The following steps that represent the most critical design elements in a well-planned SCCM design:

Define the Project Scope; SCCM Infrastructure; Asset Inventory; Software Distribution; Software Updates; Application Virtualization; Software Metering; Compliance Settings; Network Access Protection; Wake On Lan; Power Management; Endpoint Protection; Internet-based client; Mobile device management;

Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 5 of 26

Remote Tools; Operating System Deployment; User State Migration; Security; Remote Consoles; Discovery; Client Installation; Design Hierarchy/Site.

Define the Project ScopeIn this step, the project scope will be defined in order to align the goals of the project with the business motivation. The appropriate parts of the organization will be identified for inclusion in the project. Then one or more SCCM features will be selected to meet the business goals. SCCM is a powerful product with a rich feature set, and so it’s very important to determine which of its features to use.

The specific target machines that will become SCCM clients will be identified based on the project scope and the selected features. Finally, the organization’s service level expectations and future growth plans will be documented to assist in the planning process.

Determine Which Features This Project Will AddressBusiness Goal Feature Description Included?

Inventory Hardware Inventory Collects hardware information from business servers and client systems, such as available disk space, processor type, and operating system.

Software Inventory Collects software information, such as file versions.

Asset Intelligence Recognizes Microsoft and third-party software “signatures” by checking and verifying information in a database—for example, checking executable filenames.

Automate Software Installation

Operating System Distribution

Installs a configured operating system, even on systems that have no operating systems (bare metal).

Software Distribution Installs and configures software programs.

Application Virtualization

Streams applications that have been sequenced by Microsoft Application Virtualization (App-V).

Software Updates Scans servers and workstations for software updates and deploys those


updates.

Standardize configurations and compliance

Network Access Protection

Provides enforcement of software updates on clients before they can access network resources.

Settings Management Defines configuration standards and policies, and audits standards compliance throughout the enterprise against those defined configurations.

Software Metering Collects and reports on software that is in use so that this can be compared against licenses to ensure software license compliance.

Manage machines off hours

Wake on LAN Can power on a system, even when it’s switched off, which is useful for performing software distribution or software updates during off hours.

Out of Band Management

Can manage systems when they are turned off, in sleep mode, in hibernation mode, or otherwise unresponsive. The managed computer must have the Intel V-Pro chip installed.

Take the Help Desk to the user

Remote Control Remotely administer client workstations. Useful for Help Desk personnel needing to troubleshoot individual user issues

Antimalware protection, policy-based security management, and reporting

Endpoint Protection Provides antimalware security for client computers and servers that can be integrated directly into System Center applications; also provides historical reporting of malware events and client status.

Manage outside the enterprise

Internet client Enables management of clients that are beyond the organization’s firewall boundary—for example, on the Internet.

Mobile device management

Mobile devices, such as phones, can run a capabilities subset, such as inventory and software distribution (cannot be managed by remote control or receive operating system deployments like desktop clients).


SCCM InfrastructureNow that the scope has been identified, there are many constraints of its own that would affect a SCCM Infrastructure. The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.

Questionnaire1. Physical locations

Location IP Range / Subnet / AD Site

2. Network connectivity

Location 1 Location 2 Connection Utilized Bandwidth

3. What are the company expectations for growth or contraction?

4. Server location

Manufacture Model Location Number

5. Client (desktop & laptop) location

Manufacture Model Location Number

6. Client Connectivity

Connection Number

7. Will clients move between locations?

8. Are any acquisitions or divestitures planned in the environment in which SCCM will be implemented?

9. Is Active Directory Schema extension allowed to SCCM?

10. Is this solution should be fault-tolerance or high availability?

11. Can this solution be totally virtualized? If yes, which virtualization platform will be used?

12. Which locations virtual servers cannot be used?

Location


13. Should a DR planning be part of the project?

14. If the solution is totally virtualized, can the DR planning be held as part of the virtualization solution (ie. Server replication, VMotion, etc)

15. Are there any non-Domain clients that should be managed?

16. Should SQL Server (Installation and Configuration) be part of the project?

17. Should SQL Reporting Services (Installation and Configuration) be part of the project?

18. Can servers be installed on a Remote site? If yes, any exception?

Location

19. Will 3rd Party Software be considered as part of the project? (ie. 1E Nomad)

20. If required, Should Public Key Infrastructure (Design, Installation and Configuration) be part of the project?

21. If required, Should configuration of the Active Directory for Bitlocker be part of the project?

22. Does your company have Windows Intune Subscription?

23. List of languages the solution should support

Location Language

InventoryInventory is responsible for collecting information about the clients’ machines hardware and software resources. This information includes installed hardware, memory statistics, hard disk space usage as well installed software patches.

The inventory information is often used to effectively target the installation of new software packages. For example, when deploying Microsoft Office 2007; it is possible to use the inventory to generate a report of the clients that meets the required installation prerequisites.

The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.


Questionnaire

Hardware Inventory1. How often should it be updated?

2. Classes that should be collected

Class Name Field Name Computers

3. New classes that should be created/collected

Class Name Source Fields Computers

Software Inventory1. How often should it be updated?

2. List all files/extensions that will be inventoried

File name / Extension Location Computers

3. List all files/extensions that will be collected

File path / File name / Extension

Location Computers

Asset Intelligence1. Should Asset Management manage Microsoft Volume License licenses?

2. Should Asset Management manage non-Microsoft licenses?

3. Should it synchronize its database with Microsoft online? If yes, how often?

4. Which classes should be enabled? (http://bit.ly/UOWNnc)

Software DistributionSoftware distribution feature provides a set of tools and resources that help you create and manage applications and packages used to distribute software to client resources within your enterprise.



http://bit.ly/UOWNnc

Questionnaire1. List all applications (Manufacture, name, version, service pack, size, deployment type) that

you believe will be deployed to your organisations client resources using SCCM.

Manufacturer Name Version Service Pack Size Deployment Type (OSD, Client, Base Image)

2. Should a message be displayed to the end-user when installing application?

3. If a restart is needed, what should be restart countdown (in minutes)?

4. List of software that can be deployed to a user

Name Type (App-v, MSI, exe, etc) Primary Machine only?

5. How often a re-evaluation of the system should happen for software that is required to be installed?

6. Will users be able to request software installation via web portal?

7. When requesting software via web portal that requires approval, should an e-mail be sent to his/her manager? If yes, is this information populated into Active Directory?

8. Will Windows Intune be used to distribute content for Internet clients?

Software UpdatesThe software updates feature provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.


Questionnaire1. List of existing Windows Software Update Service in use

Server Name / OS WSUS Version Location

2. List of the Categories that will be used

Categories Included?

Critical Updates


Definition Updates

Drivers

Feature Packs

Service Packs

Tools

Update Rollups

Updates3. List of Microsoft Software to be patched

Name Version Service Pack Size

4. List of non-Microsoft Software to be patched

Manufacture Name Version Service Pack Size

5. When the Software Update can be applied to clients? (maintenance window)

Start Time End Time Computer

6. List of Scan/evaluation

Date/Time Computer

7. How often the synchronization with Microsoft will happen?

8. Enforce mandatory deployment?

9. Will Software Update be used to patch non-Microsoft software? If yes, can 3rd party software be used?

10. Display message to the end user when applying patches?

11. How often the re-evaluation of installed updates happen?

12. List of automatic deployment rules

Rule (Product, classification, etc.)

Computers Deadline


Application VirtualizationApplication virtualization is at the heart of Microsoft Application Virtualization (App-V). It decouples applications from the operating system and enables them to run as network services. Application virtualization can be layered on top of other virtualization technologies—network, storage, machine—to create a fully virtual IT environment where computing resources can be dynamically allocated in real-time based on real-time needs. App-V's patented application virtualization, dynamic streaming delivery, and centralized management technologies make everything from deployments and upgrades to migrations and business continuity initiatives easier and faster with better agility:


Questionnaire1. Does your company SA gives you access to the MDOP package?

2. What App-v client version will be integrated?

3. List all applications (Manufacture, name, version, service pack, size that you believe will be deployed to your organisations client resources using SCCM.

Manufacture Name Version Service Pack Size

4. App-v Virtual Environment (App-v 5 only)

Application Middleware

Software MeteringSoftware metering in SCCM allows you to monitor and collect software usage data on SCCM clients.

The collection of this usage data is based on software metering rules that can be configured by the administrator in the SCCM console, or by the automatic generation of rules based on usage data collected by SCCM inventory. These rules are evaluated by the software metering client agent on SCCM client computers, which collects metering data and reports this back to the site database.


Questionnaire1. How often Software Metering should be reported?

2. List of Application to be monitored

Manufacture Application File Name Version Language Location


Name

Settings ManagementThe SCCM desired configuration management (DCM) feature provides a set of tools and resources that can help assess and track configuration compliance of client computers in the enterprise.

Desired configuration management in SCCM allows you to assess the compliance of computers with regard to a number of configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.


Questionnaire1. Will Settings be used for Servers (Application Monitoring)?, if Yes, List all applications that

will be monitored

Manufacture Application Name

Version Service Pack Language

2. List of Items to be monitored

Item Name Rule Expected Value Auto-remediation

3. User data and Profiles

Type (Folder Redirection, Offline, Roaming profile)

Where Configuration

Network Access ProtectionThe SCCM Network Access Protection (NAP) feature provides a set of tools and resources that can enforce compliance of software updates on client computers to help protect the integrity of your enterprise network.

Network Access Protection (NAP) is a policy enforcement platform built into Windows 7, Windows Vista, and Windows Server 2008 operating system that lets you better protect network assets by enforcing compliance with system health requirements.



Questionnaire1. Is the Windows 2008 Network Access Protection in place?

2. How often the evaluation cycle will happen? Will it be a fresh scan every time?

3. Will it use the same Active Directory Forest? If not, what is the other domain suffix

Wake On Lan and Power Management

Configure scheduled SCCM activities to take place outside business hours using the Wake On LAN or Power Management feature, which has the following benefits:

Helps to achieve a higher success rate for SCCM activities. Reduces the associated network traffic during business hours. Helps to conserve power by not requiring computers to be left on outside business hours.


Questionnaire

1. Will Wake On Lan be used?

2. Will wake up be used? When will the wake up occur?

3. Are users allowed to exclude their devices from power management? If no, any exception?

User / Group

Out of Band ManagementOut of band management in SCCM provides powerful management control for computers that have the Intel vPro chip set and a version of the Intel Active Management Technology (Intel AMT) that is supported by SCCM.


Questionnaire1. Are all machines v-pro capable?

2. Is there any Microsoft Enterprise Certificate Authority in place?


Remote ToolsSCCM remote tools allow you to remotely access and operate client computers in the SCCM site which have the remote tools client agent components installed.


Questionnaire1. Will users be able to change the local settings?

2. Automatic grant permissions to local Administrators Groups?

3. Who will have rights to remote access client machines?

User / Group Computer Name Reason

4. Prompt for users permissions? If yes, any exception?


5. Display remote access notification? If yes, any exception?


6. List of remote tools to be used

Type Level Of Access Extra Information

Remote Tools Full/View only/No Access

Remote Assistance None/Remote Viewing/Full Control

Solicited/unsolicited

Remote Access Require network level authentication

Operating System DeploymentOperating System Deployment allows you to create operating system images and deploy those images to target computers. Operating System Deployment also provides task sequences which help facilitate the deployment of operating system images, and other SCCM software applications/packages.



Questionnaire1. Will OS Deployment be integrated with MDT?

2. Will Bare Metal OS Deployment be used?

3. Will OS migration be used? (ie: from XP to Windows 7, from Windows 7 to Windows 7).

4. If Question 3 is yes, will the Migration be responsible for saving user’s profile?

5. Will Multicast be used?

6. If question 5 is yes, does your network (switches/routers) support Multicast? If yes, any exception

Location

7. List of Operating Systems

Location OS Name / Version

8. Where OS Deployment be used?

Location Type (Migration, Bare Metal, Both)

Data Access (Media, Network)

9. What windows activation method will be used? MAK/KMS

10. How many partitions should be used?

11. Does your organization need deploy OS to any computer that SCCM do not know? (Unknown computer support), if yes, should it use password?

12. Does the OS refresh/migration need install application that was already installed?

13. Is there any disk encryption used?

14. Will UEFI be used instead Bios? If yes, exceptions?

Computer / Computer Model

15. Will BitLocker be used? If yes, will recovery key be stored in active directory?

Computer / Computer Model Bitlocker key management (TPM, USB, TPM + USB, TPM + PIN)


16. Will Windows To Go be used? (Apply only to Windows 8 OS)

Computer / Computer Model Bitlocker key management (TPM, USB, TPM + USB, TPM + PIN)

User State MigrationA key goal of the project is to ensure that the users do not lose their locally stored files or settings during the deployment process.

As such, the locally stored user data will be preserved using the Microsoft User State Migration Tool (USMT).

Questionnaire1. Should OS Deployment save user profile?

2. Should Offline capture be used? If yes, should BitLocker be disabled before installing new OS (if applicable)?

3. Should user’s profile be saved on the local hard drive?

4. Should user’s profile be saved on a remote server? If yes, for how long it should be kept there?

5. Should user’s profile be saved locally/on a USB disk when no remote server available or on a remote site with unreliable/slow network connectivity?

6. What files/extensions should be saved?

File Path Extension

7. What applications should have their user settings saved?

Application Settings

8. Which user settings should be discarded?

Settings

9. Regional Settings

Location Regional Settings


10. Which users should have their profile excluded?

11. Exclude user profile on last logon? If yes, since when (Number of days / specific date time)

SecurityBy default, only administrators have access to all SCCM features. Non-administrators may need access to only a subset of features and this access should be controlled.


Questionnaire1. List of user/group with their respective access

User / Group Access Computer

2. Is there any requirement to split the management in more than one SCCM infrastructure?

Remote ConsolesThe SCCM console is the primary interface to configure, run, and access SCCM features and tools and it is required to accomplish the day-to-day tasks required to configure sites, maintain SCCM site database, and monitor the status of a SCCM hierarchy.


Questionnaire1. How many concurrent consoles will be used?2. List of connections

User / Group Location

Discovery

An important concept to understand in SCCM is that of resource discovery. Before a client machine can be controlled and managed by SCCM it must be discovered.

The discovery process is important to initially find all resources, and also on an on-going basis so that newly built machines can be ‘discovered’ quickly and added to the SCCM site database. Discovering resources is the first phase of the client deployment process.


Once a resource has been discovered a Discovery Data Record, or DDR, is created and recorded in the SCCM site database.

A DDR contains resource properties such as:

SCCM unique identifier (GUID)

NetBIOS name

IP addresses

IP subnets

Operating system name and version

Domain or workgroup

Last logon user name

Name of discovery agent that generated the DDR

Active directory service container.

Active directory group.


Questionnaire

1. Which of the following Discovery methods will be used?

Discovery method

Discover Resources

Source of Data

How often Included? Observations

Active Directory Forest Discovery

Domain, IP Address, Active Directory Sites

Domain Controllers

Active Directory System Discovery

Computers Domain Controllers


Active Directory User Discovery

Users Domain controllers

Active Directory GroupDiscovery

Groups Domain controllers

Heartbeat discovery

Computers The discovered computer

Network Discovery

Computers, routers and devices that respond to network requests

Network devices

2. Should the membership of distribution groups be discovered? (applicable to Active Directory Group Discovery)

3. Only discover computer that have logged on to a domain recently? If yes, what is the time since last logon (days)? (applicable to Active Directory System Discovery and Group Discovery)

4. Only discover computer that updated their computer account password recently? If yes, what is the time since last password update (days)? (applicable to Active Directory System Discovery and Group Discovery)

5. Forest Discovery

Domain Suffix Account

6. Active Directory System Discovery

AD Container Account Observations

7. Active Directory User Discovery

AD Container Account Observations

8. Active Directory Group Discovery

Location / Group Account Observations


9. Network Discovery

Data Value

Type of Discovery

Slow network awareness

Subnets

Domains

SNMP

SNMP Devices

DHCP

Mobile Device ManagementOrganizations with mobile devices, such as smart phones and tables that operate beyond firewalls but must be managed centrally.


Questionnaire1. List of mobile device types

Manufacturer OS Name Version

2. How often should the pooling interval (Windows CE only) be?

3. Will users be able to enrol mobile devices? If yes, list users and groups

User / Group

4. If answer of question 3 is yes, what are the Issuing Certification Authorities and the Mobile device template to be used?

Certification Authority Mobile device template

5. Should Exchange Active Sync be used to manage mobile devices? If yes, list the exchange servers and accounts

Exchange server Account

6. Will Windows Intune used to manage Mobile Devices?


Client InstallationThe next phase is to install the SCCM client software on the clients. The following section details the various installation methods available in SCCM.

Client Installation method Advantage Disadvantage

Client push installation Can be used to push to a single computer, a collection or the results from a query.Can be used to automatically install the client on discovered computers.Automatically uses client installation properties defined on the Client tab of the Client Push Installation Properties dialog box.

Can cause high network traffic when pushing to large collections.Can only be used on computers that have been discovered.Cannot be used to install clients in a workgroup.A client push installation account must be specified which has administrative rights to the intended client computer.The Windows firewall must be configured on client computers with exceptions to allow client push installation to complete.

Software update point based installation

Can use your existing software updates infrastructure to manage the client software.Can automatically install the client software on new computers if WSUS and Active Directory Group Policy are configured correctly.Does not require computers to be discovered before the client can be installed.If the Active Directory schema has been extended, computers can read installation properties published to Active Directory Domain Services.Will reinstall the client software if it is removed.

Requires functioning software updates infrastructure as a prerequisite.Must use the same server for client installation and software updates, and this server must reside in a primary site.To install new clients, you must configure an Active Directory Group Policy object with the client's active software update point and port.If the Active Directory schema is not extended, you must use Group Policy to provision computers with client installation properties.

Group Policy installation Does not require computers to be discovered before the client can be installed.Can be used for new client installations or for upgrades.If the Active Directory schema

Can cause high network traffic if a large number of clients are being installed.If the Active Directory schema is not extended, you must use Group Policy to add client


has been extended, computers can read installation properties published to Active Directory.

installation properties to computers in your site.

Logon script installation Does not require computers to be discovered before the client can be installed.Supports using command line properties for CCMSetup.

Can cause high network traffic if a large number of clients are being installed.

Manual installation Does not require computers to be discovered before the client can be installed.Can be useful for testing purposes.Supports using command line properties for CCMSetup.

No automation, therefore time consuming.

Upgrade installation (software distribution)

Can leverage the features to upgrade the client by collection, or to a defined timescale.Supports using command line properties for CCMSetup.

Can cause high network traffic when distributing the client to large collections.Can only be used to upgrade the client software on computers that have been discovered and assigned to the site.

Upgrade installation (automatic upgrade)

Can leverage the features to upgrade the client by collection, or to a defined timescale.Supports using command line properties for CCMSetup.

Can cause high network traffic when distributing the client to large collections.Can only be used to upgrade the client software on computers that have been discovered and assigned to the site.


Questionnaire1. Client Installation method

Method Included? Comments

2. If client push enabled, will Client installation be automatic or manual after initial discovery?


Endpoint ProtectionEndpoint Protection uses SCCM’s capabilities to perform tasks such as deploying antimalware clients, enforcing security policies on endpoints, managing devices, and alerting administrators to events.


Questionnaire Automatically install Endpoint Protection on client computers? If yes, any exception?

Computer

Automatically remove previously installed antimalware software before installing Endpoint Protection? If yes, any exception?

Computer

Allow Endpoint Protection client installation and restart outside maintenance windows? If yes, any exception?

Computer

Supress any required computer restarts after Endpoint Protection installation? If yes, any exception?

Computer

Allow users to postpone restart after Endpoint Protection installation? If yes, any exception?

Computer How long (hours)

Allow 1st definition update download only from SCCM infrastructure? If yes, any exception?

Computer

Anti-malware policy

Computer Policy Data

Scheduled Scans

Scan Settings

Default Actions

Real-time protection


Exclusion Settings

Advanced

Threat overrides

Microsoft Active Protection Services

Definition updates Windows Firewall Policies

Computer Policy Enabled Incoming connections

Notify blocks

Domain Profile

Private Profile

Public Profile


Documents

SCCM2012-DesignQuestions