You are browsing the archive for ConfigMgr.

The future of Configuration Manager / Microsoft Intune – my personal view

7:17 pm in ConfigMgr, Intune, SCCM by The WMI guy

Hi All,

This is a blog post that is long overdue from my part, as I’ve been willing to write this for a long time. I will however start off with a “disclaimer” on this one. These are my personal views, and although I’ve been rewarded the Enterprise Client Management MVP for 10 years, or a decade if you will, none of this is based on inside information I’ve received from the product group.

Current State of affairs


Intune Standalone


Intune standalone tends to receive new feature first, Microsoft has a Cloud first and Mobile First strategy. Microsoft Intune, which as I’ll attest in this post, is largely a mobile device management solution seems a natural fit for that. A couple of important things are happening for Intune, significant changes are going around protecting the data with EMS including Rights Management, and Multi factor authentication being added. Combined with an alignment of the device management enrollment experience accross the different mobile platform are important steps for the future of Microsoft Intune. I still feel steps need to be set to make managing the online identities easier, granted the newly released Azure Active directory sync services seems to be a good step in the right direction at that.

Hybrid Intune


Hybrid Intune, integrated into System Center Configuration Manager 2012 R2 usually receives features released for Intune Standalone some time after the standalone release. Some features follow quickly, some take a little more time.

Heavy Investments in Microsoft Intune explained


Clarification Heavy investments in extending its mobile capabilities


To be clear, a lot of the ConfigMgr administrators aren’t particularly happy with how much investment goes to the “cloud”, and what seems to be a fraction going to the “on-premise” stuff. Quite a couple of them seem to conclude that Microsoft is aiming at replacing Configuration Manager. When you look at the investments though, most if not all of these investments are being done in features related to mobile device management. In fact, quite a few companies that were onboard with Windows Intune in the days it was still named that, and was originally geared as a systems management solution for SMB are disappointed for the the lack of progression made in that field in the last 3 years or so. Nothing new has been done for that market in a long long time, yet this might add to the confusion as the original Intune was seen as a replacement for System Center Essentials whose development was stopped not so long before Windows Intune surfaced. In my view, Microsoft completely repurposed the Windows Intune infrastructure / architecture for mobile device management. They didn’t go as far as to eliminate the workstation management features already in it, but other than sustaining the code I've yet to see huge improvements in that particular field. If they did happen, I definitely have missed them. So, yes, Microsoft has a cloud focus, however, as being stated by Microsoft plenty of times it’s Cloud Only, it’s Cloud first. Which, is to my point, was recently changed to Cloud First, Mobile First.

Mobile device market booming like crazy


The level of investments in the mobile device management market are largely because the mobile device market itself is booming like crazy. Again, some people seem to draw the conclusion that this means the end of the regular windows market. Again, when you look at today’s numbers, the regular Windows market is nothing shy of steady for the next 3 years according to the same predictions used by Brad Anderson in his post here: http://blogs.technet.com/b/in_the_cloud/archive/2014/06/17/success-with-enterprise-mobility-empowering-sccm-admins.aspx There’s no huge increase in sales number, yet there’s no significant decrease or collapse neither. When looking at IDC’s latest forecasts, which is the same source Microsoft used, the numbers are actually still increasing: http://www.idc.com/getdoc.jsp?containerId=prUS24314413. Less desktops, largely compensated by higher lapto sales, given that some of those tablets. With the success of the Surface pro 3 part of that tablet market is in the category of regular Windows as well. The mobile device market on the other hand has a projected potential of becoming anywhere between 3 to 5 times the size of the regular Windows market. On top of that number of devices game, there is still a challenge in convincing/finding on offer to convince quite a few businesses that mobile device management is needed. I guess I am kicking in an open door when I say that systems management of mobile devices requires a vastly different feature set than that of managing non-mobile devices.

Systems management in mobile device market undergoing rapid changes as well


The other reason Intune is drawing in so many investments / is costing so much money is that the systems management field is offering management of multiple platforms, which increases the effort that has to be put in. And every new Mobile Os comes with increased abilities for management that need to be supported. This combined with the rapid pace at which new versions of Mobile platforms are released mean you need a big team to keep up. In the past couple of years though, keeping up was far from enough for Microsoft. They were new in the market and had to play catch-up feature wise big time. With the investments done in the past 2 to 3 years, and the release of EMS Microsoft is finally closing the gap somewhat.

Requirements for Intune to take over the world


You’ll notice a theme in this section on things I consider a requirement before Microsoft Intune can become the Systems Management tool to rule them all. I believe you need at least 4 features for a systems management solution that Microsoft Intune standalone at present doesn’t offer, or where it needs extensive work to provide something competitive.

  1. OS Deployment

  2. Software distribution

  3. Server Management

  4. License management


NOTE: These 4 features are needed in my perspective for what me and a colleague of mine have starting to name “Open devices”. To explain systems management in today's world we’ve chosen to kitagorize devices as open versus closed, instead of using mobile devices, hybrids, laptops, desktops, etc….

Open devices to us are devices that have alternate means of installing software outside of a controlled store, whereas closed devices are devices that can only install software from the corresponding store.

OS Deployment


OS Deployment should be an integral part of a decent systems management solution. However, the technical field of OS Deployment is changing at a rapid pace. With Microsoft increasing the cadence of new version of their client/workstation/mobile whatever you want to call it this field might become either more important, or loose its importance overall. It’s no secret that Microsoft is aiming for an application upgrade experience for consumers much like IOS upgrades go. In-place upgrades that sustain your data and applications is where the future lies for OS Deployment, at least to consumer devices. Whether this same approach is a good fit for businesses and enterprises remains to be seen.

It definitively poses challenges to deliver the OS Deployment service we tend to offer now-a-days. Delivering the user with a device that fully works (Is domain joined, has access to all the necessary company resources and all applications installed the user needs) is a major challenge without going through OS Deployment. I recently had a customer asking me whether he needed to wipe and load his Surface Pro 3’s with the company image or whether we could use these out of the box. As with many of our customers their need for the image roughly comes down to “Make sure all the drivers are installed so there’s no unknown devices in device manager, and eliminate all the vendor installed junk”. Well the Surface Pro 3 image completely fits that need, so a wipe and load shouldn’t be necessary. From a process perspective though that would mean the IT department would have to:

  1. take a machine and login with a local admin account

  2. Join it to the domain and change the local admin password to meet with the company’s needs.

  3. Install the Configuration Manager client onto it

  4. Wait for policies to come down

  5. Verify whether all applications and software updates are installed


In the end, the overhead of not wiping-and-loading seemed larger than just following the standard process, as is.

So, in short, OS Deployment needs to be added to Microsoft Intune or businesses must decide that the need for OS Deployment is eliminated.

For this last bit to hold true, Microsoft needs to deliver on their failsafe OS Upgrade scenario well-enough to win the hearts of IT Departments, businesses will most likely have to adopt workplace join as opposed to domain join, and users will have to be self-sufficient to get their software themselves.

At present, and it’s not because of lack of requests, Intune seems to expect that the need for OS deployment will disappear somewhere in the future, as no announcements, commitments or what-so-ever seem to indicate OS Deployment is on the roadmap anytime soon.

Software distribution


I don’t think I am exaggerating when I say that in today’s day and age, without Software distribution to deliver additional software, you don’t have a systems management solution. People need additional software, and without local admin privileges for end users, it departments need a way to deliver. Yes, I am aware Microsoft Intune delivers software distribution as a feature. However, what they’re offering out of the box isn’t anything you would want to fully rely on as your main means of software distribution as it barely offers more than group policy based software distribution, and lacks flexibility and versatility.

Again, in short, Software distribution needs to be strongly enhanced or business must decide on the elimination of the need for Extended Software distribution.

For this last bit to hold true, either users need to become self-sufficient and get all their software from the store, or all applications have to become web apps most likely html5, or a mix of both.

Again when looking at the investments made into the Store, and the lack of investments in this field for Microsoft Intune my conclusion is Intune expects the need for Software Distribution to become less needed over time.

Server Management


A bit like the OS Deployment bit, and not because of lack of requests, but Microsoft Intune offers no server management worth that name.

So, either Server management needs to be added to Microsoft Intune, or businesses need to decide on the elimination of the need for server management. (Caught the theme yet?)

Again, that last bit might hold true in the future, assuming you believe in the idea that businesses are no longer going to have their own servers, and everything is hosted by a limited number of datacenter providers, that’ll maintain and patch/test your servers for you. When looking at the current Azure RemoteApp offering, when you want to include custom apps, that last bit seems to bit something we might see in a distant future.

License Management


The License Management feature discussion is similar to the one on extended software distribution.

Some form of license management or elimination of the need for license management needs to occur.

Again, the latter could happen when all apps come from the store, or are html5 subscription based apps.

Where it the Systems Management market heading for?


Data protection


Data protection is key. The recent Sony hack emphasizes this point once more, data protection is critically important. In fact one might argue that this might actually be the answer to managing BYOD type of devices, where we could decide to no longer manage these devices, but start managing and protecting the data. In a world where the users can self-service most of its tasks themselves, the largest need for systems management is to

  1. Keep the device operational

  2. Protect the data on the device


When the data is protected by let’s say, rights management and multi-factor authentication the largest need for systems management comes down to 1. Which could be solved by allowing factory-reset like functionality.

New version of Configuration Manager coming


A new version of Configuration Manager is coming, and it’ll have a 10-year support lifecycle as all Microsoft enterprise products, so ConfigMgr Administrators are still good for a while.

Summary


Is Intune going to be replace System Center Configuration Manager, it might, but it won’t happen overnight. My current point of view is that Microsoft is focusing on Microsoft Intune for mobile device management, yet have no desire to kill off a billion dollar market in managing non-mobile devices. Even if the amount of growth feasible in non-mobile device management is minimal, investments are still made. Some of them in fields were growth can be achieved (Mac & Linux mgmt anyone?). When a popular train of thought sees the light of day, and we all stop working on “Open Devices” and make the switch to “Closed aka mobile devices”, that’s when Microsoft is ready to pull the plug on System Center Configuration Manager, as long as that is not the case, they’ll happily cash in on that billion dollar business and try to grow a multi-billion dollar cloud service right alongside it.

How I reached that point of view, is what I tried to explain in this article.

-- Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at something"

Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP – Belgium MEET member

mail: Kim.oppalfens@oscc.be
http://www.scug.be/thewmiguy

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy

Client Notification status custom admin UI Node (Part 1)

1:23 pm in CMCE, ConfigMgr, Console Extension, SCCM, SDK by The WMI guy

Summary

Hi All,

This blog post is a follow-up to my tweet around figuring out how-to create custom nodes in the Configuration Manager admin UI. The sample at hand will be based on displaying Client Notification status for clients based on the new Client Notification functionality added in ConfigMgr SP1. I’ll split this post up in 2 sections, one for those of you that are interested in adding the Client Notification Status Node, and one for those that are interested in building their own node(s).

The client notification status node explained

The client notification status is based on the feature added to System Center Configuration Manager 2012 SP1. The feature is also known as fast channel internally at Microsoft or the Big Green Button. You can’t talk about this feature without mentioning the thoroughly detailed blog on the topic by Randy Xu. You can read up on that here: http://blogs.technet.com/b/configmgrteam/archive/2012/09/27/fast-channel-for-system-management.aspx

In the Q&A one of the question’s is: Can I see the online status of clients from the Configuration Manager console? The answer to that has been, Not currently.

So that’s what I wanted to solve as I was looking for a sample node I could create. The client notification status returns results from the SMS_CN_Clientstatus as mentioned in the blog post. (Funny side note, if you ask me, is that I actually found the blog post based on searching for this class, as I had discovered the class while casually browsing WMI. And yes, I am aware I have a problem :-))

The node has 5 columns, client computer name, Online Status, Channel Type, LastStatusTime, ServerID

NetBIOS Name

The Client computer name is self-explanatory.

Online Status

Online status is the info I really cared about. As that tells you whether client is “Online” Now what does Online actually mean in the context of Client Notification Status? Does that mean the machine is turned on and on the network? Well, the answer to that is “It depends”. When we thoroughly read the aforementioned blog post there’s a couple of caveats.

  1. There’s a random sleep timer of 10 minutes when starting a machine before it contacts the Client Notification Server (So the machine could be online although it is reported as offline because it hasn’t reported in just yet.
  2. Client Notification Server is expecting some form of communication every 20 minutes, which means that worst-case a client could be reported as Online, whereas it actually went offline 19 minutes ago.

So, to summarize this information isn’t really real-time, although it does give you a pretty good indication.

Channel Type

The Client Notification Status feature can work over TCP (Port 10123 by default) or HTTP. There’s some interesting things to note here as well. Most importantly, the thing that sets Client Notification Status apart from different right-click actions, is the direction of the network traffic. The Fast Channel communication channel is opened from the client towards the “Notification Server or BGB Server”. Now, the Notification Server isn’t a separate role you get to install, every management point post SP1 automagically becomes a BGB server as well. The interesting bit here is the direction, from a firewall perspective opening up communications in one direction or another can be a big deal. A lot of security folks will prefer not opening up any ports towards your clients.

The other important note in the Q&A section is that fast channel communications happens with the MP in the assigned site. So, when you have clients in a secondary site, they’ll contact the BGB Server in the primary. This might make client notification non-workable in these type of environments unless you are prepared to let that firewall traffic pass.

Finally, there’s the potential question on, why would I enable TCP when this can pass over https just as well? A question I won’t answer here, a) because it’s a why question :-) and b) because it is thoroughly answered in the product team’s blog.

Last Status Time

Not entirely sure on this one, but my guess is this is updated whenever a client contacts its BGB server, so that would be on establishing the fast channel. My preliminary tests show out this happens on Client restart, yet not on successfully executing a client notification action.

Server ID

The Server ID is the actual BGB Server you are having a fast channel with. I am not positive on how interesting this info is, and neither whether this can be different from the management point you are connected to. I’d like for this to display the server name, however, haven’t found a way to get the ID through WMI. I can get it from SQL but that would require special permissions and I am not really in favor of adding ui elements that bypass WMI.

So this is what it all looks like in the end: (The NetBIOS Name column entries have been masked to hide my lock of creativity in choosing computer names for my lab)

image

 

Installing the Client Notification Status Node

Installing the custom console node is easy enough, especially for those that have installed extensions before. In essence it means placing some executable/dll in the adminconsole\bin folder, plus adding the right xml to the AdminConsole\XmlStorage\Extensions\Nodes folder. The XML itself needs to be placed in a subfolder of this nodes folder. The subfolder needs the format of a guid, and the location in the admin ui depends on the guid used.

A lot has been written in the past, on how to figure out what guid to use. For this particular task, I just relied on adminui.consolebuider.exe, one of those nifty hidden tools in the Configuration Manager installation directory.

Step by Step

  1. Download the ClientNotificationStatus.zip from here: http://1drv.ms/1zfvwIO
  2. Extract the zip file to a location of your choice.
  3. Copy the the client notification status.dll to the adminconsole\bin folder of your admin ui console installation
  4. Create the Nodes  subfolder in AdminConsole\XmlStorage\Extensions\ if it doesn’t exist already
  5. Copy the guid folder (ec1eb040-7957-45c3-aad0-a0ef9afba98a) to AdminConsole\XmlStorage\Extensions\Nodes
  6. Restart the System Center Configuration Manager Admin UI
  7. The client status node in the Monitoring workspace should now contain a new sub view

 

Known issues / potential future enhancements

These have been pointed to me by a grumpy old man already (Not naming names here)
  1. The node isn’t limited to only display 1.000 entries by default
  2. The node doesn’t have a search box like most other nodes
Other items
  • Show the BGB server name you’re connected to.
  • see whether I can choose which columns to show by default
  • Include some form of RBA?

-- Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at something"
Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP – Belgium MEET member
mail: Kim.oppalfens@oscc.be


http://www.scug.be/thewmiguy
http://www.linkedin.com/in/kimoppalfens
http://twitter.com/thewmiguy

Turns out Wally is somewhat right (about reading logfiles)

11:18 am in ConfigMgr by The WMI guy

Hi All,

It's been a while since I blogged anything, so for those of you wondering yes, I am still alive. Been pretty busy over the past year doing live presentations at several events, but blogging has suffered a bit. This is a first post in an attempt to pickup blogging again, or at least that’s the intention.

I’ll start of this blogpost with setting something straight, at one of my public speaking sessions a while back, I made the bold statement that Wally was wrong* (about his preferred tool for reading log files). For those of you wondering, it was at a 10 minute presentation I did at the last MMS in Las Vegas as part of the MVP Experts panel. More specifically, it was during session UD-B320: Configuration Manager 2012: MVP Experts Panel. The session itself can still be found online at channel 9 here.

Turns out, as often is the case when you make bold statements, Wally’s not wrong at all. In fact he’s somewhat right, CMTrace is indeed the second best log viewer tool to read Configuration Manager logfiles.

No, I didn’t all of a sudden turn into a notepad believer, the number 1 log file viewer tool for SCCM that I advise everyone to start using is actually part of the new Configuration Manager Support Center. This tool is part of a new toolset in troubleshooting ConfigMgr related issues provided to us by the product team, and can be downloaded here http://www.microsoft.com/en-us/download/details.aspx?id=42645 . Additionally, you can find an initial description of the tool on the ConfigMgr team blog here: http://blogs.technet.com/b/configmgrteam/archive/2014/05/06/system-center-2012-configuration-manager-support-center-tool-has-been-released.aspx

So why do I consider this the best log file viewer available? There are a couple of reasons, but for this blog post I’ll just focus on a single use case. Last week, at another happy customer, I had to troubleshoot client to management point communication, more specifically hardware inventory communication. Now, Kim, that’s easy enough, anyone with a little operational experience knows that all this takes is looking through the inventoryagent.log on the client, the mp_hinv.log on the management point, and the dataldr.log on the site server. Now, obviously the client I had to troubleshoot was neither running on the mp, nor on the site server, and the site server and management points where obviously on different machines as well. to make matters worse, the customer had no less than 3 MP’s to create a nice load balanced environment. Those of you present at my MMS 2013 presentation, or those of you that took the time to actually look at the Channel 9 video will know I am a big advocate for merging logfiles to get the overview of what is going on.

So here’s, what I was able to do with the assistance of the new Support Center Logfile viewer:

.\CMLogViewer.exe ‘\\client\c$\windows\ccm\logs\inventoryagent.log, '\\mpsup1\e$\SMS_CCM\Logs\MP_Hinv.log' , '\\mpsup2\e$\SMS_CCM\Logs\MP_Hinv.log', '\\SiteServer\e$\program files\Microsoft Configuration Manager\Logs\dataldr.log'

As you might have noted, all I did was specify the UNC paths to the relevant logfiles and comma separated them. This opens all logfiles I needed merged, without me having to know which mp’s the client used to actually send it’s hardware inventory along. There’s pleny of scenarios where this is useful. Multiple sms providers is another that comes to mind.

PS: There’s still a small issue in the Support Center Logfile viewer where it crashes when you specify an inaccessible logfile in this way.

Thank you, Adam Meltzer, for making my life that tad bit easier, yet again.

-- Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at something"

Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP – Belgium MEET member

mail: Kim.oppalfens@oscc.be
http://www.scug.be/thewmiguy

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy

Met dank voor het spelchecken aan Rafëal Aubert: https://www.linkedin.com/in/rafaelaubert

ConfigMgr 2012 RB A through Z webinar

8:08 am in ConfigMgr, RBA, SCCM by The WMI guy

Hi All,

It's been a while since I blogged anything, so for those of you wondering yes, I am still alive. Been pretty busy over the past year doing live presentations at several events, but blogging has suffered a bit. This is a quick blog post to announce that I'll be doing another live webinar. I still love doing those, and this one is scheduled for next week already.

The registration page can be found over here: http://bit.ly/17i2lrj

Session title: ConfigMgr 2012: RBA through Z
Session Abstract: System Center Configuration Manager comes with a completely revamped security model. The feature was named Role Based Administration or RBA for short. In this session we'll go beyond the basics of security scopes, roles and collections to give you a deeper understanding of the possibilities of this new security model. Kim Oppalfens, who's been an sms/configmgr/enterprise client management mvp for the past 10 years will walk you through some real life example scenarios and will explain how you work these into the new model.

-- Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at someting" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP
http://www.scug.be/blogs/sccm/default.aspx

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy

Getting ready for my first Open ConfigMgr 2012 class

8:39 pm in Uncategorized by The WMI guy

Hi All,

I am preparing for my very first teach in an open class of ConfigMgr 2012. The material we’ll be using is the manual me and Kent Agerlund (Danish ConfigMgr MVP) wrote. We started writing at beta2 and have updated the material over the months up until RC1.

I am Busy updating it to RC2 as I am typing this, the course is nearly sold out, but still has a couple of seats (literally) left.

The course will take place at the JCAcademy in Louvain, if you want you can still register here: http://www.jcacademy.be/jca/be-en/course-details.page?Short=MOC213&r=freesearch&q=sccm&i=1

the course will cover Site installation, as well as migration. Followed by all the novelties of ConfigMgr 2012.

The course is open to new and seasoned ConfigMgr admins alike, but you’ll probably benefit the most from it if you already havea ConfigMg 2007 background.

Best regards,

Kim Oppalfens

ConfigMgr MVP

Easing Tasksequence basevariable management in SCCM

10:46 am in Uncategorized by The WMI guy

Hi All,

Configuration Manager has a powerfull way of creating software profiles using the basevariables and the tasksequence step Install Software with the Install multiple applications option. This method is described here:

http://technet.microsoft.com/en-us/library/bb680842.aspx

Explaining the workings of this method is not the intent of this blogpost. However, once you figure out how all of this works you might find the user interface for configuring all of it somewhat lacking.

Two inconveniences I wanted to fix for a while is the inability to reorder those basevariables, and the even more problematic inability to delete a basevariable from somewhere in your list of packages. To do this I took advantage of the extensibility of the ConfigMgr Admin UI, to create my own interface. A screenshot is available below:

TaskSequenceCollVarUI

 

Installation is super-easy just

copy the TaskSequenceBasevariableUI.dll to <ConfigMgr Install folder>\adminui\bin,

and copy the xml to <ConfigMgr Install folder>\adminui\xmlstorage\extensions\forms.

You might have to create the forms folder underneath the extensions folder.

Download the project here.

Give it a try, and let me know what you think in the comments section, or through the usual channels available to contact me.

Tags van Technorati: ,,

--

Enjoy.

"The M in WMI stands for Magic"
Kim Oppalfens - Sms Expert for lack of any other expertise 
System Center Configuration Manager MVP 
http://www.scug.be/blogs/sccm/default.aspx

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy