You are browsing the archive for 2011 October.

Technet Livemeeting: BitLocker in the enterprise – After Care

9:37 am in Uncategorized by nsienaert

 

Hi there,

First of all I want to thank all the attendees for joining the meeting and giving a lot of positive feedback.

Some people subscribed and couldn’t make it. Now they are waiting for the recording but I have some bad news…

Because of technical issues we have a recording without audio Verwarde emoticon.

The good news is, that I will do the same presentation internally at Microsoft and at that time we will try a second attempt.

This is scheduled in the beginning of December so please have some patience.

During the LiveMeeting there were some questions that I couldn’t answer directly. Here you have the answers.

– Will there be MBAM support with Intune?

Most probably yes. No official statements can be given so far. In addition to that, there are also rumours to integrate the MBAM agent into the SCCM agent.

– Is there a way to force users to encrypt rather than allow them continue to postpone?

In this version of MBAM it is not possible. In the next version it might be included.

Another attendee asked a question about how to handle Bitlocker  with MBAM in a Refresh scenario when booting in Windows PE. I explained that Niall wrote a great blog about this.

Here you have the link.

http://www.windows-noob.com/forums/index.php?/topic/4173-how-can-i-retrieve-my-bitlocker-recovery-key-from-mbam-in-windows-pe/

 

Till next time!

Nico Sienaert

clip_image014_001E83A8

TechNet LiveMeeting: DaRT

8:43 am in Uncategorized by nsienaert

 

TechNet Live Meetings                    dart

Hi there!

I’m presenting another TechNet LiveMeeting about another MDOP tool:

Diagnostics and Recovery Toolset (DaRT) 7.

What is this toolset? How should you use it an Enterprise? How can you integrate this in your OS Deployment? How can you customize it?

We start Thursday 17 November at 2pm (GMT +1).

Don’t underestimate the power of DaRT, subscribe, watch and learn.

Hope to meet you all there!

Nico Sienaert

clip_image014_001E83A8

SCCM 2012: RBAC

8:36 am in Uncategorized by nsienaert

Hi There,

I was planned to blog something about RBAC basics. I’m not gonna reinvent the wheel as Lin Tang did already a great job last week regarding this topic.

http://blogs.technet.com/b/configmgrteam/archive/2011/09/23/introducing-role-based-administration-in-system-center-2012-configuration-manager.aspx

Till next time!

Nico Sienaert

clip_image014_001E83A8

SCCM 2012: The new Infrastructure Specifics

8:26 am in Uncategorized by nsienaert

 

Hi There!

In this post I’ll talk about the infrastructure enhancements in SCCM 2012.

The product team re-engineered the infrastructure components to simplify and flatten the hierarchy.

1. Today with SCCM 2007, child primary sites were often created mostly for security reasons and to differ site settings.

This “tiered” setup of parent and child primary sites is not supported anymore.

So how do we handle security and site settings today?

Security: You don’t need extra primaries anymore to decentralized management. With a new concept which is called RBAC (Role Based Administration Control) we can now assign roles and scopes to SCCM Console users. I’ll talk about RBAC in detail in my next post.

Clients Settings: These settings are not longer site settings only. You can still configure them on site level but now you can configure these client settings also on collections.

2. Secondary sites do still exist. With SCCM 2012 you will probably decide to use Secondary sites if you still want to manage you upward-flowing WAN traffic via a Proxy Management Point. So not much changed here.

New is that each secondary has also a SQL DB installed (can be SQL Express). Global Data will be replicated to this SQL DB. I talk about Global Data later on in this post.

With Secondary site you can also do Content Routing, which means that you can redirect traffic between secondary sites. This can be interesting in a scenarios where the WAN connection between 2 secondary sites is better than a connection between a primary and a secondary site.

3. Distribution Points improved a lot regarding infrastructure capabilities. Another reason to install a secondary site with SCCM 2007 was to control the network traffic as we could throttle and schedule. Now we can do the same on a Distribution Point role similar like we do on the Site Addresses.

image

Probably you will also want a local DP when using multicast and App-V streaming.

4. Branch DPs do not exist anymore. For small branches you can look into BranchCache. Prerequisites to use this:

  •  
    • Clients need to be compatible with BranchCache
      • Windows 7
      • Windows Vista with KB 960568 installed
    • Your DP needs to be Windows 2008 Server R2 to activate the BranchCache role

New capabilities to simplify Infrastructure administration

1. Content Prestaging

Tools that we knew before with SCCM 2007 like Courier Sender, PkgPreLoadOnSite and Manual Prestaging (Branch DP) regarding prestating content is now collected in one tool, extractcontent.exe.

This tool will be used under the hood to create the prestaged content file. (.pkgx)

image

The way how it works is still similar. You send out the media to read the packages in to the remote DP and registration on the primary site server will happen via extractcontent.exe which you can find on the installation media.

image

Additionally there is also conflict detection, so if there are changes between the prestaging and when the media arrives, SCCM knows which delta’s to update.

 

2. Regarding boundaries, Forest Discovery can be done with SCCM 2012. Further domain, sites and IP subnets are still possible as we know them of SCCM 2007.

Untrusted forests can be discovered as well by providing the necessary credentials of course.

Another cool thing is that you can choose to auto-create boundaries.

image

As I mentioned already in previous blogs, boundary groups are another new concept. You can consider them as logical containers to put boundaries in. So far, so good…

The most important thing to know is that these boundary groups will be used for sites assignments and content lookup, so no longer the boundary itself. So don’t forget to specify your boundary groups on your DPs (see previous post)

3. SCCM 2012 has a new replication model to simplify your administration.

We talk about:

  • Global Data which is replicated via SQL all over the hierarchy. (CAS, Primaries and Secondaries). A rule of thumb to know what Global Data is –> everything created by the admin in the SCCM console.

          Examples: Package metadata and collection rules.

  • Site Data which is also replicated via SQL. The rule of thumb is here, everything that is created by the system itself.

           Examples: collection members, HINV, messages

          This data can be found on the CAS and originating primary

  • Content Replication is still file-based.

          Luckily Microsoft did a good job to keep the SQL replication simple and automated a  

          lot under the hood.

          So you don’t need to be a SQL guru at this point but of course as SCCM Admin it’s  

          always interesting to have a good relationship with your DBA.

          Also, diagnostic files (csv format) can be exported easily so your DBA friend can  

          examine them. Knipogende emoticon 

The clever ones under us might have the remark. “OK so everything is SQL replication but why do I still see inboxes and outboxes on my SCCM Server?” Well that is still used for local registration on the Management Point.

 

The new replication model:

       image

So yes, if you create a collection on the US site it might be visible at the Europe site. To keep control about this you can use Collection limiting and RBAC that will help you to fine-tune security.

 

Till next time!

Nico Sienaert

clip_image014_001E83A8