November 27, 2009

Patching Standards or objectives

Patching in SCCM 2007

Nice blog posted by Steve Pruiit.

November 3, 2009

New Features Configuration Manager RTM (from SMS 2003)

Operating system deployment
Operating System Deployment provides the Configuration Manager 2007 administrator with a tool for creating images that can be deployed to computers managed by Configuration Manager 2007, and to unmanaged computers using bootable media such as CD set or DVD. The image, in a WIM format file, contains the desired version of a Microsoft Windows operating system and can also include any line-of-business applications that need to be installed on the computer.

Operating System Deployment provides the following functionality:

• Image capture
• User state migration using the User State Migration Tool
• Image deployment
• Task sequences

Desired configuration management-

1. Desired configuration management in Configuration Manager 2007 allows you to assess the compliance of computers with regard to a number of configurations, such as whether the correct Microsoft Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates and security settings.

2. Compliance is evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define how they should be defined for compliance. Configuration baselines can be imported from the Web as Best Practices, or defined within Configuration Manager, or defined externally and then imported into Configuration Manager.

Network Access Protection for Configuration Manager-

1. Network Access Protection (NAP) is a policy enforcement platform built into the Microsoft Windows Vista and Windows Server 2008 operating systems that allows you to better protect network assets by enforcing compliance with system health requirements. You can configure DHCP Enforcement, VPN Enforcement, 802.1X Enforcement, IPsec Enforcement, or all four, depending on your network needs. ConfigMgr 2007 SP1 will integrate with Windows NAP to allow you to restrict clients if they do not have the software updates that you designate as required.

2. Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the network’s overall integrity. For example, if a computer does not have all the software updates required by ConfigMgr NAP policies, the computer is noncompliant and considered unhealthy. NAP enforcement can automatically install the required software updates and until these are successfully installed, the computer can be restricted from accessing the full network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

Wake On LAN – The following scenarios are supported-

1. Sending a wake-up transmission prior to the configured deadline for a software update deployment.

2. Sending a wake-up transmission prior to the configured schedule of a mandatory advertisement, which can be for software distribution or a task sequence.

Enhanced and/or Changed Features-

1. Software Updates

The software update feature in ConfigMgr has been rewritten to make it simpler to use but the security requirements are similar to SMS 2003. When you download software updates to create packages, use proper access controls to prevent attackers from modifying valid software updates. Retrieve software updates directly from or from a trusted source in your environment so that you can validate the integrity of the files.

2. Software Update Point

The software update point is installed as a site system role in the Configuration Manager console. The software update point site system role must be created on a server that has Windows Server Update Services (WSUS) 3.0 installed, and provides the communication with WSUS and synchronizes with the WSUS database to retrieve the latest software updates from Microsoft Update, as well as custom published software updates.

3. Software Updates Client Agent

The Software Updates Client Agent in Configuration Manager 2007 is enabled by default, and client agent components are installed on client computers with the other Configuration Manager client components. The Software Updates Client Agent handles compliance assessment scan requests, software update evaluation requests, deployment policies for the client, and content download requests.

4. Software Updates Reporting

The predefined software updates reports and underlying software updates SQL Server views have been modified in Configuration Manager 2007 to work with the new software updates infrastructure. During a site upgrade, the Systems Management Server 2003 reports are migrated, but they might fail to run or retrieve the expected data. Several new reports have been created to support software updates in Configuration Manager and are grouped in the following categories:

• Software Update Management – Compliance

• Software Update Management – Deployment Status

• Software Update Management - Distribution Status

• Software Update Management - Infrastructure Status

Branch Distribution Points-

You can configure a branch distribution point to allow local access to packages without the overhead of installing a site server in that location. Branch distribution points can be installed on any Configuration Manager 2007 client, including Windows XP Professional workstation computers. Workstation computers are generally not subject to the same physical access controls as server computers, so you must monitor your usage of branch distribution points.

Internet connected clients-

Support of internet connected clients, clients will be able to communicate in a secure manner to receive software updates over the internet.

Planned integration of Softricity-

Application Virtualization will be the next “big thing” in the virtualization realm. With ConfigMgr SP1 (or perhaps R2), we should see a full integration of Softricity Softgrid with ConfigMgr 2007 distribution points.

Support of SCCM 2007 site systems on x64 platforms
Support of SCCM 2007 with SQL Server 2005 virtual cluster


The following features used to be available only in Feature Packs but are now incorporated into the core product:

Mobile device management-

The following device operating systems are supported with the Configuration Manager Device Management client that ships with Configuration Manager:

• Windows Mobile for Pocket PC 2003

• Windows Mobile for Pocket PC 2003 Second Edition

• Windows Mobile for Pocket PC Phone Edition 2003

• Windows Mobile for Pocket PC Phone Edition 2003 Second Edition

• Windows Mobile Smartphone 2003

• Windows Mobile for Pocket PC 5.0

• Windows Mobile for Pocket PC Phone Edition 5.0

• Windows Mobile 5.0 Smartphone

• Transfer site settings wizard
Enhancement for the ConfigMgr Administrator

• Manage site accounts tool (MSAC)
Enhancement for the ConfigMgr Administrator

New “Asset Management” Features-

1. Recent Usage Inventory:
◦SCCM metering agent will inventory the last time any executable was running in the user context.
◦Data returned through hardware inventory.
◦Additional reports will help you answer the “When was the last time this was used?” question.

2. Auto-created Metering Rules-

◦Last Usage Inventory can be used to auto-create full metering rules which you can decide to enable.
◦Simplifies the process of creating metering rules.

3. Asset Change Summarization-

◦A summary of changes to computer assets is stored in a central table.
◦Managing deltas help reduce the complexity of asset management.
◦Additional reports help you answer the “What has changed recently in my environment?” question.

4. Client Access Licenses usage tracking for Microsoft Windows and Exchange:

◦Both User and Device CALs usage is tracked.
◦Based on Security audit logs.
◦Additional reports answer the “who used up the CALs” , “when did they do that” questions.

November 2, 2009


Windows NT reserved words that cannot be used as a site code include:

For those on SCCM with R2, you cannot use the following: OSD - SRS and FCS as these will disable features in R2.