Upload
ramesh-rp
View
117
Download
7
Tags:
Embed Size (px)
Citation preview
System Center 2012 Configuration Manager
Design Questionnaire
Prepared forClient
Client Contact NameClient Contact Email
Client Contact Phone
Prepared byRFL Systems Ltd
http://www.rflsystems.co.ukRaphael Perez
Document InformationStatus
Document Status Information
Document Version 0.1Version Date October 2012Created By Raphael PerezReviewed ByReleased byRelease Date
Document Location
This document is a snapshot of an online document that can be found at http://bit.ly/RcjtZk.
Change History
Version Date Author Revision Description
0.1 19/10/2012 RP Initial Version
Approvals
This document was approved by:
Version Date Name Title
Distribution
This document must be distributed to:
Version Name Title
Contents
Introduction...........................................................................................................................................5
Design Process.......................................................................................................................................5
Define the Project Scope.......................................................................................................................6
Determine Which Features This Project Will Address.......................................................................6
SCCM Infrastructure..............................................................................................................................8
Questionnaire....................................................................................................................................8
Inventory...............................................................................................................................................9
Questionnaire..................................................................................................................................10
Hardware Inventory.....................................................................................................................10
Software Inventory......................................................................................................................10
Asset Intelligence.........................................................................................................................10
Software Distribution..........................................................................................................................10
Questionnaire..................................................................................................................................11
Software Updates................................................................................................................................11
Questionnaire..................................................................................................................................11
Application Virtualization....................................................................................................................13
Questionnaire..................................................................................................................................13
Software Metering...............................................................................................................................13
Questionnaire..................................................................................................................................13
Settings Management..........................................................................................................................14
Questionnaire..................................................................................................................................14
Network Access Protection..................................................................................................................14
Questionnaire..................................................................................................................................15
Wake On Lan and Power Management...............................................................................................15
Questionnaire..................................................................................................................................15
Out of Band Management...................................................................................................................15
Questionnaire..................................................................................................................................15
Remote Tools.......................................................................................................................................16
Questionnaire..................................................................................................................................16
Operating System Deployment............................................................................................................16
Questionnaire..................................................................................................................................17
User State Migration...........................................................................................................................18
Questionnaire..................................................................................................................................18
Security................................................................................................................................................19
Questionnaire..................................................................................................................................19
Remote Consoles.................................................................................................................................19
Questionnaire..................................................................................................................................19
Discovery.............................................................................................................................................19
Questionnaire..................................................................................................................................20
Mobile Device Management...............................................................................................................22
Questionnaire..................................................................................................................................22
Client Installation.................................................................................................................................23
Questionnaire..................................................................................................................................24
Endpoint Protection............................................................................................................................25
Questionnaire..................................................................................................................................25
IntroductionThis guide leads the reader through the process of planning a System Center Configuration Manager infrastructure.
The guide addresses the following fundamental decisions and tasks:
Identifying which SCCM capabilities will be needed. Designing the components, layout, security, and connectivity of the SCCM infrastructure. Designing the components and the dependencies that are required
Business objectives should be prioritized at the start of the project so that they are clearly understood and agreed on by IT and business managers.
Following this guide should result in a design that is sized, configured, and appropriately placed to deliver the stated business benefits, while considering the user experience, security, manageability, performance, capacity, and fault tolerance of the system.
The guide addresses the scenarios most likely to be encountered by someone designing a SCCM infrastructure.
Please note that the terms System Center Configuration Manager, ConfigMgr, Configuration Manager, CM and SCCM all refer to the same Microsoft product, and the terms are used interchangeably.
Design ProcessThis guide addresses the following decisions and activities that must occur in planning the design for SCCM. The following steps that represent the most critical design elements in a well-planned SCCM design:
Define the Project Scope; SCCM Infrastructure; Asset Inventory; Software Distribution; Software Updates; Application Virtualization; Software Metering; Compliance Settings; Network Access Protection; Wake On Lan; Power Management; Endpoint Protection; Internet-based client; Mobile device management;
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 5 of 26
Remote Tools; Operating System Deployment; User State Migration; Security; Remote Consoles; Discovery; Client Installation; Design Hierarchy/Site.
Define the Project ScopeIn this step, the project scope will be defined in order to align the goals of the project with the business motivation. The appropriate parts of the organization will be identified for inclusion in the project. Then one or more SCCM features will be selected to meet the business goals. SCCM is a powerful product with a rich feature set, and so it’s very important to determine which of its features to use.
The specific target machines that will become SCCM clients will be identified based on the project scope and the selected features. Finally, the organization’s service level expectations and future growth plans will be documented to assist in the planning process.
Determine Which Features This Project Will AddressBusiness Goal Feature Description Included?
Inventory Hardware Inventory Collects hardware information from business servers and client systems, such as available disk space, processor type, and operating system.
Software Inventory Collects software information, such as file versions.
Asset Intelligence Recognizes Microsoft and third-party software “signatures” by checking and verifying information in a database—for example, checking executable filenames.
Automate Software Installation
Operating System Distribution
Installs a configured operating system, even on systems that have no operating systems (bare metal).
Software Distribution Installs and configures software programs.
Application Virtualization
Streams applications that have been sequenced by Microsoft Application Virtualization (App-V).
Software Updates Scans servers and workstations for software updates and deploys those
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 6 of 26
updates.
Standardize configurations and compliance
Network Access Protection
Provides enforcement of software updates on clients before they can access network resources.
Settings Management Defines configuration standards and policies, and audits standards compliance throughout the enterprise against those defined configurations.
Software Metering Collects and reports on software that is in use so that this can be compared against licenses to ensure software license compliance.
Manage machines off hours
Wake on LAN Can power on a system, even when it’s switched off, which is useful for performing software distribution or software updates during off hours.
Out of Band Management
Can manage systems when they are turned off, in sleep mode, in hibernation mode, or otherwise unresponsive. The managed computer must have the Intel V-Pro chip installed.
Take the Help Desk to the user
Remote Control Remotely administer client workstations. Useful for Help Desk personnel needing to troubleshoot individual user issues
Antimalware protection, policy-based security management, and reporting
Endpoint Protection Provides antimalware security for client computers and servers that can be integrated directly into System Center applications; also provides historical reporting of malware events and client status.
Manage outside the enterprise
Internet client Enables management of clients that are beyond the organization’s firewall boundary—for example, on the Internet.
Mobile device management
Mobile devices, such as phones, can run a capabilities subset, such as inventory and software distribution (cannot be managed by remote control or receive operating system deployments like desktop clients).
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 7 of 26
SCCM InfrastructureNow that the scope has been identified, there are many constraints of its own that would affect a SCCM Infrastructure. The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. Physical locations
Location IP Range / Subnet / AD Site
2. Network connectivity
Location 1 Location 2 Connection Utilized Bandwidth
3. What are the company expectations for growth or contraction?
4. Server location
Manufacture Model Location Number
5. Client (desktop & laptop) location
Manufacture Model Location Number
6. Client Connectivity
Connection Number
7. Will clients move between locations?
8. Are any acquisitions or divestitures planned in the environment in which SCCM will be implemented?
9. Is Active Directory Schema extension allowed to SCCM?
10. Is this solution should be fault-tolerance or high availability?
11. Can this solution be totally virtualized? If yes, which virtualization platform will be used?
12. Which locations virtual servers cannot be used?
Location
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 8 of 26
13. Should a DR planning be part of the project?
14. If the solution is totally virtualized, can the DR planning be held as part of the virtualization solution (ie. Server replication, VMotion, etc)
15. Are there any non-Domain clients that should be managed?
16. Should SQL Server (Installation and Configuration) be part of the project?
17. Should SQL Reporting Services (Installation and Configuration) be part of the project?
18. Can servers be installed on a Remote site? If yes, any exception?
Location
19. Will 3rd Party Software be considered as part of the project? (ie. 1E Nomad)
20. If required, Should Public Key Infrastructure (Design, Installation and Configuration) be part of the project?
21. If required, Should configuration of the Active Directory for Bitlocker be part of the project?
22. Does your company have Windows Intune Subscription?
23. List of languages the solution should support
Location Language
InventoryInventory is responsible for collecting information about the clients’ machines hardware and software resources. This information includes installed hardware, memory statistics, hard disk space usage as well installed software patches.
The inventory information is often used to effectively target the installation of new software packages. For example, when deploying Microsoft Office 2007; it is possible to use the inventory to generate a report of the clients that meets the required installation prerequisites.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 9 of 26
Questionnaire
Hardware Inventory1. How often should it be updated?
2. Classes that should be collected
Class Name Field Name Computers
3. New classes that should be created/collected
Class Name Source Fields Computers
Software Inventory1. How often should it be updated?
2. List all files/extensions that will be inventoried
File name / Extension Location Computers
3. List all files/extensions that will be collected
File path / File name / Extension
Location Computers
Asset Intelligence1. Should Asset Management manage Microsoft Volume License licenses?
2. Should Asset Management manage non-Microsoft licenses?
3. Should it synchronize its database with Microsoft online? If yes, how often?
4. Which classes should be enabled? (http://bit.ly/UOWNnc)
Software DistributionSoftware distribution feature provides a set of tools and resources that help you create and manage applications and packages used to distribute software to client resources within your enterprise.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 10 of 26
Questionnaire1. List all applications (Manufacture, name, version, service pack, size, deployment type) that
you believe will be deployed to your organisations client resources using SCCM.
Manufacturer Name Version Service Pack Size Deployment Type (OSD, Client, Base Image)
2. Should a message be displayed to the end-user when installing application?
3. If a restart is needed, what should be restart countdown (in minutes)?
4. List of software that can be deployed to a user
Name Type (App-v, MSI, exe, etc) Primary Machine only?
5. How often a re-evaluation of the system should happen for software that is required to be installed?
6. Will users be able to request software installation via web portal?
7. When requesting software via web portal that requires approval, should an e-mail be sent to his/her manager? If yes, is this information populated into Active Directory?
8. Will Windows Intune be used to distribute content for Internet clients?
Software UpdatesThe software updates feature provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. List of existing Windows Software Update Service in use
Server Name / OS WSUS Version Location
2. List of the Categories that will be used
Categories Included?
Critical Updates
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 11 of 26
Definition Updates
Drivers
Feature Packs
Service Packs
Tools
Update Rollups
Updates3. List of Microsoft Software to be patched
Name Version Service Pack Size
4. List of non-Microsoft Software to be patched
Manufacture Name Version Service Pack Size
5. When the Software Update can be applied to clients? (maintenance window)
Start Time End Time Computer
6. List of Scan/evaluation
Date/Time Computer
7. How often the synchronization with Microsoft will happen?
8. Enforce mandatory deployment?
9. Will Software Update be used to patch non-Microsoft software? If yes, can 3rd party software be used?
10. Display message to the end user when applying patches?
11. How often the re-evaluation of installed updates happen?
12. List of automatic deployment rules
Rule (Product, classification, etc.)
Computers Deadline
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 12 of 26
Application VirtualizationApplication virtualization is at the heart of Microsoft Application Virtualization (App-V). It decouples applications from the operating system and enables them to run as network services. Application virtualization can be layered on top of other virtualization technologies—network, storage, machine—to create a fully virtual IT environment where computing resources can be dynamically allocated in real-time based on real-time needs. App-V's patented application virtualization, dynamic streaming delivery, and centralized management technologies make everything from deployments and upgrades to migrations and business continuity initiatives easier and faster with better agility:
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. Does your company SA gives you access to the MDOP package?
2. What App-v client version will be integrated?
3. List all applications (Manufacture, name, version, service pack, size that you believe will be deployed to your organisations client resources using SCCM.
Manufacture Name Version Service Pack Size
4. App-v Virtual Environment (App-v 5 only)
Application Middleware
Software MeteringSoftware metering in SCCM allows you to monitor and collect software usage data on SCCM clients.
The collection of this usage data is based on software metering rules that can be configured by the administrator in the SCCM console, or by the automatic generation of rules based on usage data collected by SCCM inventory. These rules are evaluated by the software metering client agent on SCCM client computers, which collects metering data and reports this back to the site database.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. How often Software Metering should be reported?
2. List of Application to be monitored
Manufacture Application File Name Version Language Location
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 13 of 26
Name
Settings ManagementThe SCCM desired configuration management (DCM) feature provides a set of tools and resources that can help assess and track configuration compliance of client computers in the enterprise.
Desired configuration management in SCCM allows you to assess the compliance of computers with regard to a number of configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. Will Settings be used for Servers (Application Monitoring)?, if Yes, List all applications that
will be monitored
Manufacture Application Name
Version Service Pack Language
2. List of Items to be monitored
Item Name Rule Expected Value Auto-remediation
3. User data and Profiles
Type (Folder Redirection, Offline, Roaming profile)
Where Configuration
Network Access ProtectionThe SCCM Network Access Protection (NAP) feature provides a set of tools and resources that can enforce compliance of software updates on client computers to help protect the integrity of your enterprise network.
Network Access Protection (NAP) is a policy enforcement platform built into Windows 7, Windows Vista, and Windows Server 2008 operating system that lets you better protect network assets by enforcing compliance with system health requirements.
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 14 of 26
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. Is the Windows 2008 Network Access Protection in place?
2. How often the evaluation cycle will happen? Will it be a fresh scan every time?
3. Will it use the same Active Directory Forest? If not, what is the other domain suffix
Wake On Lan and Power Management
Configure scheduled SCCM activities to take place outside business hours using the Wake On LAN or Power Management feature, which has the following benefits:
Helps to achieve a higher success rate for SCCM activities. Reduces the associated network traffic during business hours. Helps to conserve power by not requiring computers to be left on outside business hours.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire
1. Will Wake On Lan be used?
2. Will wake up be used? When will the wake up occur?
3. Are users allowed to exclude their devices from power management? If no, any exception?
User / Group
Out of Band ManagementOut of band management in SCCM provides powerful management control for computers that have the Intel vPro chip set and a version of the Intel Active Management Technology (Intel AMT) that is supported by SCCM.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. Are all machines v-pro capable?
2. Is there any Microsoft Enterprise Certificate Authority in place?
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 15 of 26
Remote ToolsSCCM remote tools allow you to remotely access and operate client computers in the SCCM site which have the remote tools client agent components installed.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. Will users be able to change the local settings?
2. Automatic grant permissions to local Administrators Groups?
3. Who will have rights to remote access client machines?
User / Group Computer Name Reason
4. Prompt for users permissions? If yes, any exception?
User / Group Computer Name Reason
5. Display remote access notification? If yes, any exception?
User / Group Computer Name Reason
6. List of remote tools to be used
Type Level Of Access Extra Information
Remote Tools Full/View only/No Access
Remote Assistance None/Remote Viewing/Full Control
Solicited/unsolicited
Remote Access Require network level authentication
Operating System DeploymentOperating System Deployment allows you to create operating system images and deploy those images to target computers. Operating System Deployment also provides task sequences which help facilitate the deployment of operating system images, and other SCCM software applications/packages.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 16 of 26
Questionnaire1. Will OS Deployment be integrated with MDT?
2. Will Bare Metal OS Deployment be used?
3. Will OS migration be used? (ie: from XP to Windows 7, from Windows 7 to Windows 7).
4. If Question 3 is yes, will the Migration be responsible for saving user’s profile?
5. Will Multicast be used?
6. If question 5 is yes, does your network (switches/routers) support Multicast? If yes, any exception
Location
7. List of Operating Systems
Location OS Name / Version
8. Where OS Deployment be used?
Location Type (Migration, Bare Metal, Both)
Data Access (Media, Network)
9. What windows activation method will be used? MAK/KMS
10. How many partitions should be used?
11. Does your organization need deploy OS to any computer that SCCM do not know? (Unknown computer support), if yes, should it use password?
12. Does the OS refresh/migration need install application that was already installed?
13. Is there any disk encryption used?
14. Will UEFI be used instead Bios? If yes, exceptions?
Computer / Computer Model
15. Will BitLocker be used? If yes, will recovery key be stored in active directory?
Computer / Computer Model Bitlocker key management (TPM, USB, TPM + USB, TPM + PIN)
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 17 of 26
16. Will Windows To Go be used? (Apply only to Windows 8 OS)
Computer / Computer Model Bitlocker key management (TPM, USB, TPM + USB, TPM + PIN)
User State MigrationA key goal of the project is to ensure that the users do not lose their locally stored files or settings during the deployment process.
As such, the locally stored user data will be preserved using the Microsoft User State Migration Tool (USMT).
Questionnaire1. Should OS Deployment save user profile?
2. Should Offline capture be used? If yes, should BitLocker be disabled before installing new OS (if applicable)?
3. Should user’s profile be saved on the local hard drive?
4. Should user’s profile be saved on a remote server? If yes, for how long it should be kept there?
5. Should user’s profile be saved locally/on a USB disk when no remote server available or on a remote site with unreliable/slow network connectivity?
6. What files/extensions should be saved?
File Path Extension
7. What applications should have their user settings saved?
Application Settings
8. Which user settings should be discarded?
Settings
9. Regional Settings
Location Regional Settings
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 18 of 26
10. Which users should have their profile excluded?
11. Exclude user profile on last logon? If yes, since when (Number of days / specific date time)
SecurityBy default, only administrators have access to all SCCM features. Non-administrators may need access to only a subset of features and this access should be controlled.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. List of user/group with their respective access
User / Group Access Computer
2. Is there any requirement to split the management in more than one SCCM infrastructure?
Remote ConsolesThe SCCM console is the primary interface to configure, run, and access SCCM features and tools and it is required to accomplish the day-to-day tasks required to configure sites, maintain SCCM site database, and monitor the status of a SCCM hierarchy.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. How many concurrent consoles will be used?2. List of connections
User / Group Location
Discovery
An important concept to understand in SCCM is that of resource discovery. Before a client machine can be controlled and managed by SCCM it must be discovered.
The discovery process is important to initially find all resources, and also on an on-going basis so that newly built machines can be ‘discovered’ quickly and added to the SCCM site database. Discovering resources is the first phase of the client deployment process.
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 19 of 26
Once a resource has been discovered a Discovery Data Record, or DDR, is created and recorded in the SCCM site database.
A DDR contains resource properties such as:
SCCM unique identifier (GUID)
NetBIOS name
IP addresses
IP subnets
Operating system name and version
Domain or workgroup
Last logon user name
Name of discovery agent that generated the DDR
Active directory service container.
Active directory group.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire
1. Which of the following Discovery methods will be used?
Discovery method
Discover Resources
Source of Data
How often Included? Observations
Active Directory Forest Discovery
Domain, IP Address, Active Directory Sites
Domain Controllers
Active Directory System Discovery
Computers Domain Controllers
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 20 of 26
Active Directory User Discovery
Users Domain controllers
Active Directory GroupDiscovery
Groups Domain controllers
Heartbeat discovery
Computers The discovered computer
Network Discovery
Computers, routers and devices that respond to network requests
Network devices
2. Should the membership of distribution groups be discovered? (applicable to Active Directory Group Discovery)
3. Only discover computer that have logged on to a domain recently? If yes, what is the time since last logon (days)? (applicable to Active Directory System Discovery and Group Discovery)
4. Only discover computer that updated their computer account password recently? If yes, what is the time since last password update (days)? (applicable to Active Directory System Discovery and Group Discovery)
5. Forest Discovery
Domain Suffix Account
6. Active Directory System Discovery
AD Container Account Observations
7. Active Directory User Discovery
AD Container Account Observations
8. Active Directory Group Discovery
Location / Group Account Observations
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 21 of 26
9. Network Discovery
Data Value
Type of Discovery
Slow network awareness
Subnets
Domains
SNMP
SNMP Devices
DHCP
Mobile Device ManagementOrganizations with mobile devices, such as smart phones and tables that operate beyond firewalls but must be managed centrally.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. List of mobile device types
Manufacturer OS Name Version
2. How often should the pooling interval (Windows CE only) be?
3. Will users be able to enrol mobile devices? If yes, list users and groups
User / Group
4. If answer of question 3 is yes, what are the Issuing Certification Authorities and the Mobile device template to be used?
Certification Authority Mobile device template
5. Should Exchange Active Sync be used to manage mobile devices? If yes, list the exchange servers and accounts
Exchange server Account
6. Will Windows Intune used to manage Mobile Devices?
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 22 of 26
Client InstallationThe next phase is to install the SCCM client software on the clients. The following section details the various installation methods available in SCCM.
Client Installation method Advantage Disadvantage
Client push installation Can be used to push to a single computer, a collection or the results from a query.Can be used to automatically install the client on discovered computers.Automatically uses client installation properties defined on the Client tab of the Client Push Installation Properties dialog box.
Can cause high network traffic when pushing to large collections.Can only be used on computers that have been discovered.Cannot be used to install clients in a workgroup.A client push installation account must be specified which has administrative rights to the intended client computer.The Windows firewall must be configured on client computers with exceptions to allow client push installation to complete.
Software update point based installation
Can use your existing software updates infrastructure to manage the client software.Can automatically install the client software on new computers if WSUS and Active Directory Group Policy are configured correctly.Does not require computers to be discovered before the client can be installed.If the Active Directory schema has been extended, computers can read installation properties published to Active Directory Domain Services.Will reinstall the client software if it is removed.
Requires functioning software updates infrastructure as a prerequisite.Must use the same server for client installation and software updates, and this server must reside in a primary site.To install new clients, you must configure an Active Directory Group Policy object with the client's active software update point and port.If the Active Directory schema is not extended, you must use Group Policy to provision computers with client installation properties.
Group Policy installation Does not require computers to be discovered before the client can be installed.Can be used for new client installations or for upgrades.If the Active Directory schema
Can cause high network traffic if a large number of clients are being installed.If the Active Directory schema is not extended, you must use Group Policy to add client
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 23 of 26
has been extended, computers can read installation properties published to Active Directory.
installation properties to computers in your site.
Logon script installation Does not require computers to be discovered before the client can be installed.Supports using command line properties for CCMSetup.
Can cause high network traffic if a large number of clients are being installed.
Manual installation Does not require computers to be discovered before the client can be installed.Can be useful for testing purposes.Supports using command line properties for CCMSetup.
No automation, therefore time consuming.
Upgrade installation (software distribution)
Can leverage the features to upgrade the client by collection, or to a defined timescale.Supports using command line properties for CCMSetup.
Can cause high network traffic when distributing the client to large collections.Can only be used to upgrade the client software on computers that have been discovered and assigned to the site.
Upgrade installation (automatic upgrade)
Can leverage the features to upgrade the client by collection, or to a defined timescale.Supports using command line properties for CCMSetup.
Can cause high network traffic when distributing the client to large collections.Can only be used to upgrade the client software on computers that have been discovered and assigned to the site.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire1. Client Installation method
Method Included? Comments
2. If client push enabled, will Client installation be automatic or manual after initial discovery?
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 24 of 26
Endpoint ProtectionEndpoint Protection uses SCCM’s capabilities to perform tasks such as deploying antimalware clients, enforcing security policies on endpoints, managing devices, and alerting administrators to events.
The following questions will help to identify the various elements and components that will make up the base SCCM hierarchy.
Questionnaire Automatically install Endpoint Protection on client computers? If yes, any exception?
Computer
Automatically remove previously installed antimalware software before installing Endpoint Protection? If yes, any exception?
Computer
Allow Endpoint Protection client installation and restart outside maintenance windows? If yes, any exception?
Computer
Supress any required computer restarts after Endpoint Protection installation? If yes, any exception?
Computer
Allow users to postpone restart after Endpoint Protection installation? If yes, any exception?
Computer How long (hours)
Allow 1st definition update download only from SCCM infrastructure? If yes, any exception?
Computer
Anti-malware policy
Computer Policy Data
Scheduled Scans
Scan Settings
Default Actions
Real-time protection
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 25 of 26
Exclusion Settings
Advanced
Threat overrides
Microsoft Active Protection Services
Definition updates Windows Firewall Policies
Computer Policy Enabled Incoming connections
Notify blocks
Domain Profile
Private Profile
Public Profile
Date Modified on 19/10/2012 10:29 Version 0.1Author Raphael Perez Telephonedocument.docx Page 26 of 26