01-microsoft system center configuration manager 2007

7/26/2019 01-Microsoft System Center Configuration Manager 2007

1/47

System Center Configuration Manager 2007

Microsoft System Center Configuration Manager 2007 (formerly known as MicrosoftSystem Management Server)

Configuration Manager 2007 provides the following features:

Distributing and installing software applicationsDistributing and installing updates to software! for e"ample security fi"esCollecting #ardware and software inventory$estricting computers from accessing t#e network if t#ey do not meet specifiedre%uirements! for e"ample #aving certain security updates installedDeploying operating systemsSpecifying w#at a desired configuration would be for one or more computers and t#enmonitoring ad#erence to t#at configuration

Metering software usage$emotely controlling computers to provide troubles#ooting support

Understanding Configuration Manager Sites

& System Center Configuration Manager 2007 site defines t#e scope of administrativecontrol & site consists of a site server, site system roles, clients, and resources & sitealways re%uires access to a Microsoft SQ Server data!ase '#ere are several types ofConfiguration Manager 2007 sites & Configuration Manager 2007 site uses !oundariesto determine the clients !elonging to the site Multiple sites can be configured into site#ierarc#ies and connected suc# t#at you can manage bandwidt# utiliation between sites

& Configuration Manager 2007 site is identified by t#e t#reec#aracter code and t#efriendly site name configured during Setup

"ypes of Sites

*#en you install a site! you decide w#et#er it will be a primary site or a secondary site'#en! as you install additional sites! you #ave t#e option arrange t#em in #ierarc#icalrelations#ips so t#at t#ere are parent sites t#at manage c#ild sites! and a central site tocollect all of t#e site information for centralied management +r! if you prefer! you canleave t#e sites wit#out any connections and manage t#em separately! according to yourbusiness and administrative needs ,or e"ample! if your organiation consists ofindependent business units! eac# unit mig#t resist #aving centralied management

#rimary Sites

'#e first Configuration Manager 2007 site you install must be a primary site & primarysite stores Configuration Manager 2007 data for itself and all t#e sites beneat# it in a S-.Server database '#is is called t#e Configuration Manager 2007 site database /rimarysites #ave an administrative tool called t#e Configuration Manager 2007 console t#atenables t#e Configuration Manager 2007 administrator to directly manage t#e site


2/47

Secondary Sites

& secondary site #as no Configuration Manager 2007 site database 1t is attac#ed to andreports to a primary site '#e secondary site is managed by a Configuration Manager2007 administrator running a Configuration Manager 2007 console t#at is connected tot#e primary site

'#e secondary site forwards t#e information it gat#ers from Configuration Manager 2007clients! suc# as computer inventory data and Configuration Manager 2007 system statusinformation! to its parent site '#e primary site t#en stores t#e data of bot# t#e primaryand secondary sites in t#e Configuration Manager 2007 site database

'#e advantages of using secondary sites are t#at t#ey re%uire no additional ConfigurationManager 2007 server license and do not re%uire t#e over#ead of maintaining anadditional database Secondary sites are managed from t#e primary site it is connected to!so t#ey are fre%uently used in sites wit# no local administrator present '#e disadvantageof secondary sites is t#at t#ey must be attac#ed to a primary site and cannot be moved to

a different primary site wit#out deleting and recreating t#e site &lso! secondary sitescannot #ave sites beneat# t#em in t#e #ierarc#y

#arent Sites

& parent site is a primary site t#at #as one ore more sites attac#ed to it in t#e #ierarc#y+nly a primary site can #ave c#ild sites & secondary site is always a c#ild site & parentsite contains pertinent information about its lower level sites! suc# as computer inventorydata and Configuration Manager 2007 system status information! and can control manyoperations at t#e c#ild sites

Child Sites

& c#ild site is a site t#at is attac#ed to a site above it in t#e #ierarc#y '#e site it reports tois its parent site & c#ild site can #ave only one parent site Configuration Manager 2007copies all t#e data t#at is collected at a c#ild site to its parent site & c#ild site is eit#er aprimary site or a secondary site

Central Site

& central site #as no parent site 'ypically! a central site #as c#ild and grandc#ild sites andaggregates all of t#eir client information to provide centralied management andreporting & site wit# no parent and no c#ild site is still called a central site alt#oug# it isalso referred to as a standalone site

Site Systems

ac# site contains one site server and one or more site systems '#e site server is t#ecomputer w#ere you install Configuration Manager 2007 and it #osts services re%uiredfor Configuration Manager 2007 & site system is any computer running a supportedversion of *indows3 or a s#ared folder t#at #osts one or more site system roles & sitesystem role is a function re%uired to use Configuration Manager 2007 or to use a featureof Configuration Manager 2007 Multiple site roles can be combined on a single site

2


3/47

system! including running all site roles on t#e site server! but t#is is usually appropriateonly for very small and simple environments

'#e following rolesprovides a brief description of eac# site system role

Site server'#e role assigned to t#e server on w#ic# Configuration Manager 2007 Setup #as beenrun successfully4es very site must #ave e"actly one site server role

Site data!ase server

'#e role assigned to t#e computer running Microsoft S-. Server and #osting t#eConfiguration Manager 2007 site database 4ou can use only Microsoft S-. Server 2005!Standard or nterprise dition to #ost t#e site database S-. Server 2005 "press is not asupported S-. Server 2005 version for #osting t#e site databasevery primary site re%uires a site database server role but secondary sites do not re%uire

t#em

Configuration Manager console

&ny computer running t#e Configuration Manager console6o '#e Configuration Manager console is automatically installed by default on primarysite servers during Setup 4ou can install additional Configuration Manager consoles onremote computers! for e"ample t#e workstation of t#e Configuration Manageradministrator owever! some organiations write t#eir own user interface using t#eConfiguration Manager software developer kit (SD8) and never use t#e ConfigurationManager console

SMS #rovider computer

'#e Configuration Manager console does not access t#e database directly but insteaduses *indows Management 1nstrumentation (*M1) as an intermediary layer '#e SMS/rovider is t#e *M1 /rovider for Configuration Manager4es! for primary sites *#en you install a primary site! you select w#ic# computer will

#ost t#e SMS /rovider! usually t#e site server or t#e site database serverComponent server

&ny computer #osting a Configuration Manager 2007 site role t#at re%uires installingspecial Configuration Manager 2007 services'#e only site system role t#at does not re%uire t#e installation of a special Configuration

Manager 2007 service is t#e distribution point$istri!ution point

& site system role t#at stores packages for clients to install$e%uired for t#e following features9 software distribution! software updates! andadvertised task se%uences%all!ac& status point

:


4/47

& site system role t#at gat#ers state messages from clients t#at cannot install properly!cannot assign to a Configuration Manager 2007 site! or cannot communicate securelywit# t#eir assigned management point6ot re%uired! but very #elpful to troubles#oot issues wit# clients

Management point'#e site system role t#at serves as t#e primary point of contact between ConfigurationManager 2007 clients and t#e Configuration Manager 2007 site serververy site wit# intranet clients must #ave one default management point! t#oug# t#edefault management point mig#t be a cluster of several site systems configured asmanagement points#'( service point

& site system role t#at #as been configured to respond to and initiate operating systemdeployments from computers w#ose network interface card is configured to allow /;boot re%uests

$e%uired only for operating system deployment using /; boot re%uests)eporting point

& site system role #osts t#e $eport


5/47

Clients communicate wit# site systems #osting site system roles Site systemscommunicate wit# t#e site server and wit# t#e site database 1f t#ere are multiple sitesconnected in a #ierarc#y! t#e sites communicate wit# t#eir parent! c#ild! or sometimesgrandc#ild sites

Sites are typically configured so t#at t#e clients and site systems #ave fast connectivitywit# eac# ot#er! usually .&6speed owever! Configuration Manager 2007 alsosupports clients t#at move between sites! mobile devices t#at connect over t#e cellularnetwork! clients t#at connect to t#e organiation?s network t#roug# dialup or virtualprivate networks (


6/47

*#en Configuration Manager 2007 components t#at are wit#in t#e site boundariescommunicate wit# eac# ot#er! t#ey use eit#er server message block (SM@)! ''/! or''/S! depending on various site configuration c#oices you make @ecause all of t#esecommunications are unmanaged! t#at is! t#ey #appen at any time wit# no considerationfor bandwidt# consumption! it is beneficial to make sure t#ese site elements #ave fast

communication c#annels

Understanding Configuration Manager Clients

Microsoft System Center Configuration Manager 2007 supports many *indowsbasedplatforms as clients 4ou must install Configuration Manager 2007 client software on t#eclients you want to manage

6oteConfiguration Manager 2007 supports only *indowsbased platforms Support for non*indows platforms like Macintos# and =ni" platforms mig#t be provided by ot#er

software vendors as addon products to Configuration Manager

'ypes of Clients4ou can install Configuration Manager 2007 client software on desktop and laptopcomputers! w#ic# are typically t#oug#t of as Bclient computersB 1n addition! you caninstall Configuration Manager 2007 client software on server computers and managet#em as clients of Configuration Manager 2007 *#ile servers often #ave specificoperational re%uirements! for e"ample t#e times you are allowed to reboot servercomputers mig#t be more limited t#an desktop computers! Configuration Manager 2007makes no functional distinction between server or client computers '#roug#out t#edocumentation! t#e term client computer can mean eit#er a server in a server room or a

computer on a user?s desktop

Client computers typically connect into t#e organiation network directly! eit#er by beingattac#ed directly to t#e network or by using


7/47

Microsoft supports running an embedded version of *indows on devices t#at are nottraditional desktop! laptop! or server computers ,or e"ample! *indows ;/ mbeddedcan be installed on automated teller mac#ines or medical devices Configuration Manager2007 components can be installed by t#e manufacturer on t#ese devices along wit# t#eembedded operating system Devices support many but not all of t#e features supported

by standard clients

'#roug#out t#e documentation! t#e term client is used to refer to all clients t#at run t#eConfiguration Manager 2007 client components! w#ile client computer is used to referservers! desktops! and laptops

$iscovering Clients

Configuration Manager 2007 #as t#e ability to discover resources on t#e network usingseveral different discovery mec#anisms '#e following table describes t#e availablediscovery met#ods

$iscovery Method Description/ctive $irectory System $iscovery$etrieves details about t#e computer! suc# as computer name! &ctive Directory containername! 1/ address! and &ctive Directory site/ctive $irectory System roup $iscovery

Cannot discover a computer t#at #as not already been discovered by anot#er met#od 1f aresource #as been discovered and is assigned to t#e site! &ctive Directory System roupDiscovery e"tends ot#er discovery met#ods by retrieving details suc# as organiationalunit! global groups! universal groups! and nested groups

/ctive $irectory User $iscovery

$etrieves information about user accounts created in &ctive Directory/ctive $irectory Security roup $iscovery

$etrieves security groups created in &ctive Directory*eart!eat $iscovery

$efres# Configuration Manager client computer discovery data in t#e site database=nlike t#e ot#er met#ods! t#is met#od works only on computers t#at already #ave t#eConfiguration Manager 2007 installed1etwor& $iscovery

Searc#es t#e network for resources t#at meet a specific profile 6etwork discovery candiscover resources t#at are .isted in a router?s &$/ cac#e for a specified network subnet$unning &n S6M/ agent and configured for a specified community Configured asMicrosoft DC/ clients

7


8/47

ac# discovery met#od creates data discovery records (DD$s) for resources and sendst#em to t#e site database! even if t#e discovered resource is not capable of being aConfiguration Manager 2007 client ,or e"ample! 6etwork Discovery mig#t discoverrouters and printers! w#ic# could be #elpful for tracking purposes! but t#ose devices will

not actually be managed by Configuration Manager 2007 Mobile devices cannot bediscovered until t#e mobile device client is installed Computers running &ctiveSync (for*indows ;/ clients) or Mobile Device Center (for


9/47

1maging'#e client software can be added to an image! including images created and deployedwit# Configuration Manager 2007 operating system deployment

Software Distribution"isting clients can be upgraded or redeployed using Configuration Manager 2007software distribution

Mobile devices use different installation met#ods & client computer t#at sync#ronieswit# a mobile device can be targeted to install t#e mobile device client t#e ne"t time t#edevice is docked Mobile devices can also install t#e client software from a memory card

Client &ssignmentClients must be assigned to a site before t#ey can be managed by t#at site Clients can be

assigned to a site during installation or after installation &ssigning a client involveseit#er telling it a specific site code to use! or configuring t#e client to automatically assignto a site based on boundaries 1f t#e client is not assigned to any site during t#e clientinstallation p#ase! t#e client installation p#ase completes! but t#e client cannot bemanaged by Configuration Manager 2007

Clients cannot be assigned to secondary sitesF t#ey are always assigned to t#e parentprimary site! but can reside in t#e boundaries of t#e secondary site! taking advantage ofany pro"y management points and distribution points at t#e secondary site '#is isbecause clients communicate wit# management points and management points mustcommunicate wit# a site database Secondary sites do not #ave t#eir own site databaseFt#ey use t#e site database at t#eir parent primary site

&ut#enticating Clients@efore Configuration Manager 2007 trusts a client! it re%uires some manner ofaut#entication 1n mi"ed mode! clients must be approved! eit#er by manually approvingeac# client or by automatically approving all clients or all clients in a trusted *indowsdomain 1n native mode! clients must be issued client aut#entication certificates prior toinstalling t#e Configuration Manager 2007 client software

@locking Clients1f a client computer is no longer trusted! t#e Configuration Manager administrator canblock t#e client in t#e Configuration Manager 2007 console @locking applies to bot#native mode and mi"ed mode sites @locked clients are ignored by t#e ConfigurationManager 2007 infrastructure '#is is especially useful for laptop computers t#at are lostor stolen! to #elp prevent attackers from using a trusted client to attack t#e site or t#enetwork

Client &gents

G


10/47

Client agents are Configuration Manager 2007 components t#at run on top of t#e baseclient components 1f you install only t#e Configuration Manager Client wit#out enablingany client agents! Configuration Manager 2007 cannot manage anyt#ing about t#e clientvery client agent t#at you enable lets you use a different feature of ConfigurationManager 2007 4ou can configure t#e client agents to suit your environment '#e

following table describes t#e client agents in Configuration Manager 2007

Client &gent DescriptionComputer Client &gent /ropertiesConfigures #ow often client computers retrieve t#e policy t#at gives t#em t#e rest oft#eir configuration settings ,or e"ample! after you configure t#e ot#er client agentsettings! Configuration Manager puts t#ose settings into policy and sends t#em to t#emanagement point and client computers poll for t#em on t#e sc#edule you configure'#is agent also controls settings t#at are common to several Configuration Managerfeatures like #ow often users are prompted wit# reminders and w#at customiedorganiation names users see wit# t#e reminders

Device Client &gent /ropertiesConfigures all of t#e properties specific to mobile device clients Mobile device clients#ave settings for software distribution! software inventory! #ardware inventory! and filecollection '#is agent also controls t#e polling interval used by mobile device clients

ardware 1nventory Client &gentnables and configures t#e agent t#at collects a wide variety of information about t#eclient computer 1nformation about t#e computer #ardware is most commonly collected!but you can inventory any information stored in t#e *indows Management1nstrumentation (*M1) repository of t#e computer! suc# as registry keys 4ou canconfigure #ow often t#e client computer takes inventory

Software 1nventory Client &gentnables and configures w#ic# files Configuration Manager inventories and collectsCopies of collected files are stored in t#e Configuration Manager database

&dvertised /rograms Client &gentnables and configures t#e software distribution feature

Desired Configuration Management Client &gentnables t#e client agent t#at evaluates w#et#er computers are in compliance wit#configuration baselines t#at are assigned to t#em 4ou can also configure t#e defaultcompliance evaluation sc#edule for assigned configuration baselines

$emote 'ools Client &gentnables Configuration Manager remote control and configures Configuration Managerintegration wit# $emote &ssistance

6etwork &ccess /rotection Client &gent

0


11/47

nables Configuration Manager 6etwork &ccess /rotection and configures #ow clientcomputers are evaluated for compliance by t#e *indows 6etwork /olicy Server 1f clientcomputers are not in compliance wit# t#e configured policies! for e"ample if t#ey do not#ave specified software updates! 6&/ can prevent t#e client computers from accessnetwork resources until t#ey complete remediation measures Configuring t#is client

agent wit#out proper planning and deployment can prevent your client computers fromaccessing t#e network

Software Metering Client &gentnables t#e agent t#at monitors w#ic# software is run and #ow often and configures #owoften software metering data is collectedSoftware =pdates Client &gentnables t#e agent t#at scans for and installs software updates on client computers '#isagent allows you to configure #ow often clients are reevaluated for software updates t#atwere previously installed @efore you can use t#e software update feature! you must also

install *indows Server =pdate Services (*S=S) and configure a software update point

'#ere is no client agent for operating system deployment


12/47

Understanding Configuration Manager %eatures

1f you install a Microsoft System Center Configuration Manager 2007 site but do notconfigure any of t#e features! t#e site is essentially useless ,eatures provide t#e actualfunctionality of Configuration Manager 2007 4ou can install Hust one feature or several

features Some features #ave dependencies on ot#er features! for e"ample 6etwork&ccess /rotection re%uires t#e software updates feature be operational first

'#e following features are provided in Configuration Manager 20079

'#e administrator consoleCollections1nventory-ueries$eportingSoftware distribution

Software updatesSoftware meteringMobile Device management+perating system deploymentDesired configuration management$emote tools6etwork &ccess /rotection*ake +n .&6

'#e &dministrator Console

'#e Configuration Manager 2007 console is t#e most common way t#at ConfigurationManager administrators use Configuration Manager 2007! alt#oug# some organiationsuse t#e Software Development 8it (SD8) to build custom user interfaces and manyadministrators use scripting to manage repetitive tasks more efficiently

4ou can run t#e console from t#e site server or install additional consoles on yourdesktop or #elp desk computers to facilitate management +ne console can manage manysites or many consoles can manage a single site '#e Configuration Manager 2007console runs as a Microsoft Management Console (MMC) snapin! alt#oug# you mustrun Configuration Manager 2007 Setup on t#e computer so t#at t#e snapin is available

CollectionsCollections represent groups of resources and can consist not only of computers! but alsoof Microsoft *indows users and user groups as well as ot#er discovered resourcesCollections provide you wit# t#e means to organie resources into easily manageableunits! enabling you to create an organied structure t#at logically represents t#e kinds oftasks t#at you want to perform Collections also serve as targets for performingConfiguration Manager operations on multiple resources at one time (suc# as softwaredistribution or software updates) Collection members#ip can be eit#er direct or %uery

2


13/47

based -uery based collections are very powerful because t#ey can group any resourcestoget#er based on criteria ,or e"ample! if you want to deploy Microsoft +ffice 2007 onlyto computers wit# @ of free disk space and @ of $&M! you can create a collectiont#at uses a %uery against t#e Configuration Manager 2007 inventory information in t#edatabase

1nventory4ou can configure Configuration Manager 2007 to inventory #ardware and software onConfiguration Manager 2007 clients ardware inventory gives you system information(suc# as available disk space! processor type! and operating system) about eac# computer4ou can configure t#e information returned in #ardware inventory by modifying t#eSMSIdefmof file Software inventory agent gives you information suc# as inventoriedfile types and versions present on client computers Software inventory alone Hust returnslists of file types! but combining software inventory wit# t#e information in t#e &sset1ntelligence knowledge base allows you to create reports on w#ic# applications are usedin your environment Software inventory can also collect copies of files in t#e database!

but t#is is recommended only for small files t#at do not c#ange very often

-ueries'#e %uery feature in Configuration Manager 2007 uses *@M %uery language (*-.) to%uery t#e site database -uery results are returned in t#e Configuration Manager 2007console! w#ere t#ey can be e"ported using t#e MMC e"port list feature -ueries can alsobe used to create collections of resources t#at meet t#e %uery criteria

$eporting$eporting is a supporting feature to many ot#er Configuration Manager 2007 features$eports are returned in *eb pages in t#e browser /rogramming is not re%uired! butknowledge about creating S-. %ueries is e"tremely #elpful *it# reporting you cancreate reports t#at s#ow t#e inventory you #ave collected or t#e software updatessuccessfully deployed 4ou can also create das#boards! w#ic# combine several differentviews of information Several precreated reports are available to support commonreporting scenarios ,or more information about t#e reports provided for eac# feature! seet#e feature documentation

Software distributionSoftware distribution allows you to pus# Hust about anyt#ing to a client computer/ackages in software distribution can contain source files to deploy software applicationsand commands called programs t#at tell t#e client w#at e"ecutable file to run & singlepackage can contain multiple programs! eac# configured to run differently /ackages canalso contain command lines to run files already present on t#e client! wit#out actuallycontaining additional source files

1mportantConfiguration Manager 2007 can cause any e"ecutable file to run on t#e client! #oweverit is important to understand t#at Configuration Manager 2007 does not actually packaget#e e"ecutables or source files Configuration Manager 2007 is like t#e delivery manF it

:


14/47

gets t#e software or t#e command to t#e client! but t#e command must be able to run ont#e client independently of Configuration Manager 2007 1f t#e software or commandcannot run wit#out Configuration Manager 2007 software distribution! it will never runwit# software distribution

Configuration Manager 2007 uses advertisements to specify w#ic# collections receive t#eprogram and t#e package

Software updates'#e software updates feature provides a set of tools and resources t#at can #elp managet#e comple" task of tracking and applying software updates to client computers in t#eenterprise Software updates in Configuration Manager 2007 re%uires a *indows Server=pdate Services (*S=S) server to be installed and uses t#at to scan t#e client computersfor applicable software updates '#e administrator views w#ic# updates are needed in t#e

environment and creates packages and deployments containing t#e source files for t#esoftware updates Clients t#en install t#e software updates from distribution points andreport t#eir status back to t#e site database

Software meteringSoftware metering enables you to collect and report software program usage data '#edata provided by t#ese reports can be used by many groups wit#in t#e organiation suc#as 1' and corporate purc#asing

Software metering in Configuration Manager 2007 supports t#e following scenarios9

1dentify w#ic# software applications are being used! and w#o is using t#em1dentify t#e number of concurrent usages of a specified software application1dentify actual software license re%uirements1dentify redundant software application installations1dentify unused software applications w#ic# could be relocated

Mobile Device managementMobile devices are supported as Configuration Manager 2007 clients ,or documentationpurposes! mobile clients are treated as a separate feature Mobile clients can run a subsetof Configuration Manager 2007 features suc# as inventory and software distribution! butcannot be managed by remote control and cannot receive operating system deploymentslike desktop clients

>


15/47

+perating system deployment+perating system deployment enables you to install new operating systems and softwareonto a computer 4ou can use operating system deployment to install operating systemimages to new or e"isting computers as well as to computers wit# no connection yourConfiguration Manager 2007 site @y using task se%uences and t#e driver catalog

operating system deployment streamlines new computer installations by allowing you toinstall software using one dynamic image t#at can be installed on different types ofcomputers and configurations

+perating system deployment provides t#e following solutions for deploying operatingsystem images to computers9

/rovide a secure operating system deployment environment

&ssist wit# managing t#e cost of deploying images by allowing one image to work wit#

different computer #ardware configurations

&ssist wit# unifying deployment strategies to #elp provide a solid deployment foundationfor future operating system deployment met#ods

Desired configuration managementDesired configuration management enables you to define configuration standards andpolicies! and audit compliance t#roug#out t#e enterprise against t#ose definedconfigurations @est practices configurations can be used from Microsoft and vendors int#e form of Microsoft3 System Center Configuration Manager 2007 Configuration/acks '#ese Configuration /acks can t#en be refined to meet customied businessre%uirements &dditionally! desired configuration management supports an aut#oringenvironment for customied configurations

'#is feature is designed to provide data for use by many groups wit#in t#e organiation!including 1' and corporate security Desired configuration management supports t#efollowing scenarios9

Detect production server configuration drift and confirm provisioned servers meete"pected build re%uirements

/rovide t#e #elp desk wit# probable cause information! reducing t#e timetoresolve(''$) of incidents and provide probable cause analysis for problems

$eport compliance wit# regulatory policies! and in#ouse security policies

5


16/47

/rovide c#ange verification and tracking

6ote1f you are familiar wit# t#e @usiness Solution &ddon! Desired Configuration Monitoringwit# Systems Management 200: Service /ack ! see t#e following reference for acomparison between t#e two features9 Comparison of SMS 200: Desired ConfigurationMonitoring and Configuration Manager 2007 Desired Configuration Management$emote tools$emote tools in Configuration Manager 2007 includes t#e remote control feature w#ic#allows an operator wit# sufficient access rig#ts t#e ability to remotely administer clientcomputers in t#e Configuration Manager 2007 site #ierarc#y

4ou can use remote control to troubles#oot problems on client computers and to provideremote #elp desk support w#ere access to t#e user?s computer is necessary

6etwork &ccess /rotection6etwork &ccess /rotection (6&/) is a policy enforcement platform built into t#eMicrosoft *indows


17/47

*ake +n .&6'#e *ake +n .&6 feature #elps to ac#ieve a #ig#er success rate for sc#eduledConfiguration Manager 2007 activities! reducing associated network traffic duringbusiness #ours! and #elps organiations to conserve power by not re%uiring computers to

be left on for maintenance outside business #ours

*ake +n .&6 in Configuration Manager 2007 supports t#e following scenarios9

Sending a wakeup transmission prior to t#e configured deadline for a software updatedeployment

Sending a wakeup transmission prior to t#e configured sc#edule of a mandatoryadvertisement! w#ic# can be for software distribution or a task se%uence

Security Modes'#ere are two security modes in Configuration Manager 2007

6ative mode is t#e recommended site configuration for new Configuration Manager 2007sites because it offers a #ig#er level of security by integrating wit# a public keyinfrastructure (/81) to #elp protect clienttoserver communication /81s can #elpcompanies meet t#eir security and business re%uirements! but t#ey must be carefullydesigned and implemented to meet t#e current and future needs 1nstalling a /81 solely tosupport Configuration Manager 2007 operations could fulfill certain s#ort term goals butcould #amper a more e"tensive /81 rollout to support ot#er applications at a later time 1fyour organiation already #as a welldesigned! industrystandard /81! ConfigurationManager 2007 s#ould be able to use certificates from t#e e"isting /81

1mportant6ative mode re%uires e"tensive planning and lab testing prior to implementation 1f t#e/81 infrastructure is not implemented properly to support Configuration Manager 2007!t#e w#ole site could stop functioning Do not implement native mode in a productionenvironment wit#out t#oroug#ly understanding t#e re%uirements

*#ile native mode is t#e most secure mode available in Configuration Manager 2007!mi"ed mode can be considered ade%uate security for many organiations and re%uiresless administrative over#ead Mi"ed mode is t#e default w#en upgrading from an e"istingSystems Management Server (SMS) 200: site and provides backwards compatibility for#ierarc#ies t#at #ave bot# SMS 200: sites and Configuration Manager 2007 sites 1t ispossible to install wit# mi"ed mode and t#en migrate to native mode later 1t is alsopossible to revert to mi"ed mode from native mode @ot# migrating and reverting re%uiret#oroug# planning prior to implementation

7


18/47

6ative mode sites cannot report to mi"ed mode sites *#en migrating from mi"ed modeto native mode! always convert t#e central site first and t#en work down

1nternetbased ClientsComputers t#at connect to t#e organiation?s network using


19/47

takes t#e c#anges from delta file t#e to t#e site control file! w#ic# contains all of t#e sitesettings ierarc#y Manager t#en makes t#e configuration c#ange in t#e database 1f t#ereare parent or c#ild sites! Site Control Manager interacts wit# ot#er services to send t#esite settings up or down t#e #ierarc#y Many of t#ese site processes are documented in t#etec#nical flow c#arts included in t#e Configuration Manager Documentation .ibrary

Status MessagesMost of t#e time! site operations Hust work and need no intervention 'o monitoroperations! most services! including client services! generate status messages1nformational and success status messages indicate t#at t#e site is performing ase"pected rror and *arning status messages indicate t#at problems e"ist '#e statusmessages often contain troubles#ooting information like possible causes and solutions4ou can view status messages in t#e Configuration Manager console using t#e StatusMessage


20/47

backing up Hust one of t#ese elements is not sufficient to restore a working siteConfiguration Manager 2007 uses t#e


21/47

'#e application #as a tool to create a customied *indows 1nstaller file t#at will installt#e software wit# no user intervention and using all of t#e accounting department?spreferred defaults 8im creates one program to run t#e customied *indows 1nstaller and#e creates a second program to uninstall t#e accounting application! Hust in case @ot#

programs are configured to run w#et#er or not a user is logged on! and bot# will run wit#administrative rig#ts even if t#e logged on user is not currently an administrator! even ift#e client computer is running *indows pm in #is site is midnig#t in a different site vent#oug# t#e application is rat#er large! 8im configures t#e advertisement to run even if t#eclient computer is connected to a slow network boundaryF t#is means t#at accountingusers w#o work from #ome and connect using a


22/47

&s soon as 8im completes t#e advertisement wiard! Configuration Manager 2007creates a policy and sends it to t#e management points for all t#e sites ,or t#emanagement points at t#e c#ild sites! t#e sender at t#e parent site copies t#e policy to t#esite server at t#e c#ild site and t#e c#ild site server sends it to t#e site management point

'#e clients in all t#e sites #ave been configured to poll for new policy every two #oursbecause it provides a nice balance between getting software out %uickly enoug# but notsaturating t#e network wit# policy re%uests

'#e ne"t time a client in t#e &ccounting collection polls t#e management point! it is toldt#at it #as software advertised to it 1t asks for t#e location of t#e content and is given alist of distribution points in t#e site '#e client sorts t#e list and finds t#ree distributionpoints on t#e same subnet! so it picks one at random '#e client connects to t#e selecteddistribution point and downloads t#e content into a local cac#e and t#en runs t#e program

from t#e cac#e to install t#e accounting software

&fter t#e software is installed! t#e client sends a status message indicating success

8im creates a report to s#ow w#ic# clients #ave successfully installed t#e accountingsoftware

Customiing Configuration Manager

Microsoft System Center Configuration Manager 2007 functionality can be automatedand e"tended by using t#e System Center Configuration Manager 2007 SoftwareDevelopment 8it (SD8) '#e Configuration Manager SD8 provides t#e necessaryinformation to administrators w#o want to automate Configuration Manager 2007functionality and to developers w#o want to e"tend t#e base Configuration Managerfunctionality

'#e Configuration Manager SD8 contains t#e documentation! samples and referencematerial necessary to write applications t#at access and modify Configuration Managerdata 1n addition! t#e SD8 contains code samples in C and


23/47

Configuration Manager Desired Configuration ManagementConfiguration Manager Device ManagementConfiguration Manager DiscoveryConfiguration Manager 1nventoryConfiguration Manager Management /oint 1nterface

Configuration Manager 6etwork &ccess /rotection 1ntegrationConfiguration Manager +perating System DeploymentConfiguration Manager $emote 'oolsConfiguration Manager Server and Client 1nfrastructureConfiguration Manager Software DistributionConfiguration Manager Software MeteringConfiguration Manager Software =pdates ManagementConfiguration Manager System StatusConfiguration Manager *ake +n .&6

hat3s 1ew in Configuration Manager 2007

Some aspects of Microsoft System Center Configuration Manager 2007 #ave c#angedvery little from Systems Management Server (SMS) 200:! w#ile some #ave c#anged alot &lso! several new features #ave been added and some features #ave been removed

'#e following features are new to Configuration Manager 20079

Desired configuration management6etwork &ccess /rotection for Configuration Manager*ake +n .&6

'#e following features used to be available only in ,eature /acks but are nowincorporated into t#e core product9

Mobile device management+perating system deployment'ransfer site settings wiardManage site accounts tool (MS&C)&sset 1ntelligence

'#e following features #ave c#anged significantly from SMS 200:9

@ackup and recoverySoftware updates

'#e following features #ave been improved but still function very muc# like t#ey did inSMS 200:9

2:


24/47

'#e administrator consoleCollectionsSoftware distributionSoftware metering

$emote tools

'#e following features eit#er #ave not c#anged or #ave only very minor c#anges9

Discovery1nventory-ueries$eporting

'#e basic site infrastructure #as not c#anged 4ou still #ave primary sites and secondary

sites! t#oug# t#e new feature for software distribution called t#e branc# distribution pointmig#t remove t#e need to create some c#ild sites in your #ierarc#y Site to sitecommunication is still configured using senders and addresses! #owever in ConfigurationManager 2007 senders can only be installed on primary or secondary site server systemsConfiguration Manager 2007 now supports #osting t#e site database on a clustered S-.Server virtual instance as well as S-. Server 2005 named instances Several new serverroles #ave been added to support new features

1n SMS 200: you #ad two types of clients! but in Configuration Manager 2007 you #aveonly one client type! w#ic# is similar to t#e SMS 200: &dvanced Client Some of t#eclient deployment met#ods #ave c#anged and some met#ods #ave been removed & newmet#od! software update point client installation! allows you to leverage your softwareupdate infrastructure to deploy Configuration Manager 2007 clients

1n SMS 200: you #ad two security modes! but in Configuration Manager 2007 you #avet#e e%uivalent of SMS 200: advanced security owever! you now #ave two site modes!Configuration Manager 2007 native mode and Configuration Manager 2007 mi"ed mode&lt#oug# site modes are not at all related to t#e SMS 200: security modes! t#ey doinvolve t#e security of your Configuration Manager 2007 environment 6ative mode is are%uirement to support 1nternetbased client management! a new feature t#at allows youto manage clients t#at do not #ave a direct connection to your site

1n SMS 200: t#e site server?s local subnet is automatically used as t#e site boundary fort#e site during setup 1n Configuration Manager 2007! t#ere is no default boundarycreated during setup and you must manually create t#e boundary for a site w#en setup #ascompleted 1n SMS 200: t#ere are site boundaries and roaming boundaries! but inConfiguration Manager 2007 t#ere is only one type of boundary and it is e%uivalent toSMS 200: roaming boundaries Computers are assigned as clients to ConfigurationManager 2007 sites according to t#e site boundaries you configure in t#e Configuration

2>


25/47

Manager console @oundaries can now be defined by 1/ subnets! &ctive Directory sitenames! 1/vA /refi"! or 1/ ranges

1n SMS 200:! roaming boundaries were eit#er local or remote roaming boundaries *#encreating Configuration Manager 2007 boundaries! you instead decide if t#e boundary will

be used for eit#er a Slow or unreliable or ,ast (.&6) network connection

1n SMS 200:! you could not upgrade from t#e evaluation version of t#e product to t#efull version Configuration Manager 2007 now supports upgrading from t#e evaluationversion

1n SMS 200: t#e client pus# installation met#od properties used w#en installing clients#ave t#e default site code set to &uto 1n Configuration Manager 2007 t#e default sitecode used w#en installing clients using t#e client pus# installation met#od is set to t#esite code of t#e primary site

1n Configuration Manager 2007! state messages are sent by Configuration Manager 2007clients! using a new messaging system built into t#e product t#at allows clients to sendBc#eckpointsB of important c#anges of state State messages are not t#e same as statusmessagesF w#ereas status messages provide information about component be#avior anddata flow! state messages provide a snaps#ot of t#e state of a process at a specific time

Configuration Manager 2007 also includes support for fully %ualified domain names(,-D6) and 1/vA

*#at?s 6ew in &sset 1ntelligence for Configuration Manager

,irst introduced in SMS 200: S/:! &sset 1ntelligence #as been en#anced significantly inMicrosoft System Center Configuration Manager 2007 6ew reports #ave been added tot#e &sset 1ntelligence ardware! Software! and .icense Management categories

1n addition to tracking installed software! autostart software! and browser #elper obHects!new software reports provide information about recently used e"ecutables &s well as t#e#ardware reports t#at track =S@ devices! processor age! and readiness for upgrade! newreports identify computers t#at #ave software or #ardware c#anges since t#e lastinventory cycle 6ew Client &ccess .icense reports! added to t#e e"isting .icense .edgerreports! complete t#e ability to compare license usage wit# Microsoft .icense Statements

.icense Management $eports6ine new license management reports #ave been added! providing t#e means to trackClient &ccess .icenses (C&.) in addition to t#e e"isting volume license reports +ne oft#ese new reports identifies t#e number of processors in computers running software t#atcan be licensed using t#e perprocessor licensing model '#e remaining E new reportsidentify =ser C&. usage and Device C&. usage summaries! details! and #istory

,or more information! see .icense Management $eports

25


26/47

ardware $eports'#ree new #ardware reports #elp identify computers t#at #ave c#anged since t#e lastinventory cycle '#e c#anges identified in t#ese reports include bot# #ardware andsoftware c#anges

,or more information! see ardware $eports

Software $eportsSi" new software reports e"tend previous inventory capabilities by adding softwaremetering '#ese new reports identify recently used e"ecutables! w#ic# users ran t#em!and t#e devices on w#ic# t#e e"ecutables were run

,or more information! see Software $eports

*#at?s 6ew in Client Deployment for Configuration Manager

Client deployment in Microsoft System Center Configuration Manager 2007 introduces anumber of c#anges and new features designed to improve t#e ease and security of clientdeployment! and to improve t#e identification of any problems using standard reports

'#e following section details some of t#e new or improved features

C#ecking for Site Compatibility to Complete Site &ssignment'#e improved functionality from SMS 200: means t#at a Configuration Manager 2007client will not work if it is assigned to a site running SMS 200: 'o prevent t#is situation!site assignment in Configuration Manager 2007 now includes a version c#eck to ensurecompatibility between t#e client and its assigned site

,or site assignment to complete in Configuration Manager 2007! you must eit#er e"tendt#e &ctive Directory sc#ema for Configuration Manager 2007 or clients must be able tocommunicate wit# a server locator point in t#e #ierarc#y &dditionally! if you #avee"tended &ctive Directory but #ave clients from a separate forest! or clients fromworkgroups! you will need a server locator point

,or more information! see &bout Client &ssignment and Determine 1f 4ou 6eed a Server.ocator /oint

1mportant1f a Configuration Manager 2007 client cannot complete t#e c#eck for site compatibility!site assignment will not succeed

Client /rere%uisite C#ecks

2A


27/47

*#en CCMSetup installs t#e Configuration Manager 2007 client! it c#ecks t#edestination computer for t#e correct prere%uisites re%uired by your ConfigurationManager 2007 site 1f t#ese are not found! CCMSetup will install t#ese before installingt#e client

,or more information! see /rere%uisites for Client Deployment

&pproval for Clients in Mi"ed Mode& new procedure called approval #elps to protect t#e security of a site in mi"ed mode+nly clients t#at are approved will be sent policies t#at mig#t contain sensitive data 4ous#ould ensure t#at all client computers t#at you trust are approved wit# t#eir assignedsite

'#e default site setting for approval in Configuration Manager 2007 is to automaticallyapprove trusted computers '#is means t#at in most circumstances you will not #ave tomanually approve many computers! unless t#ey are from a separate &ctive Directory

forest or a workgroup owever! if your Configuration Manager 2007 spans multipledomains! ensure t#at t#e site?s default management point (or 6.@ management point) isconfigured wit# an intranet fully %ualified domain name (,-D6)

,or more information! see &bout Client &pproval and Determine 1f 4ou *ill =se ,-D6Server 6ames

Client @locking1f a client computer is no longer trusted! t#e Configuration Manager administrator canblock t#e client from t#e Configuration Manager infrastructure @locked clients arereHected by Configuration Manager so t#at t#ey cannot communicate wit# site systems todownload policy! upload inventory data! or send state or status messages to t#e site '#isaction is especially useful for laptop computers or mobile devices t#at are lost or stolen!to #elp prevent attackers from using a trusted client to attack t#e Configuration Manager2007 site or t#e network owever! it does not replace t#e use of certificate revocationc#ecking if t#is is supported in a public key infrastructure (/81) environment,allback Status /oint'#e fallback status point is a new site system role in Configuration Manager 2007 t#atreceives state messages from client computers during t#e installation process! and if t#eycannot connect to a management point '#is information is t#en displayed in reports to#elp you more easily identify computers t#at #ave failed to install t#e client software ort#at cannot communicate wit# t#eir site

'#e fallback status point is not publis#ed to &ctive Directory Domain Services as a sitesetting! so it must be assigned to clients during installation

,or more information! see &bout t#e ,allback Status /oint and Determine 1f 4ou S#ould1nstall a ,allback Status /oint

roup /olicy @ased 1nstallation and &ssignment

27


28/47

Configuration Manager 2007 supports using *indows roup /olicy to install or assignt#e client software to computers in your enterprise 4ou can use t#is met#od to assignnew or e"isting clients to a Configuration Manager 2007 site &n administrative templateto perform site assignment is included on t#e Configuration Manager 2007 installationmedia

,or more information! see ow to 1nstall Clients =sing roup /olicy and ow to &ssignClients to a Site

Software =pdate /oint @ased Client 1nstallationSoftware update point based client installation is a new client deployment met#odintroduced in Configuration Manager 2007 t#at allows t#e administrator to publis# t#elatest version of t#e Configuration Manager 2007 client into t#e *S=S catalog '#isallows t#e latest client software to be installed using standard software updatedeployment met#ods +ne of t#e advantages of t#is installation met#od is t#at it does notre%uire local administrative rig#ts on t#e target computer

,or more information! see Determine t#e Client 1nstallation Met#od to =se and ow to1nstall Clients =sing Software =pdate /oint @ased 1nstallation

Default Management /oint /ublis#ed to D6S'#e most secure met#od for a client to find its default management is t#roug# &ctiveDirectory Domain Services owever! if t#is is not possible eit#er because &ctiveDirectory is not e"tended! or because clients are from a separate &ctive Directory forestor a workgroup! D6S publis#ing offers a recommended alternative

'#is configuration re%uires an entry in D6S t#at is added eit#er automatically ormanually! and configuration on t#e client

,or more information! see Determine 1f 4ou 6eed to /ublis# to D6S and ConfigurationManager and Service .ocation

=ninstalling t#e Configuration Manager Client Software'#e ccmclean4e5eutility provided wit# SMS 200: 'oolkit 2 cannot be used to uninstallt#e Configuration Manager 2007 client software 'o successfully uninstall t#eConfiguration Manager 2007 client software you must use t#e CCMSetupe"e e"ecutabletoget#er wit# t#e uninstall property

,or more information! see ow to =ninstall t#e Configuration Manager ClientClient 6etwork &ccess &ccount'#e SMS 200: client network access account is no longer used for client pus#installations in Configuration Manager 2007

,or more information! see ow to 1nstall Clients =sing Client /us#

Client 1nstallation /roperties /ublis#ed in &ctive Directory

2E


29/47

1f you #ave e"tended t#e &ctive Directory sc#ema for Configuration Manager 2007 andt#e site is configured to publis# to &ctive Directory Domain Services! a number of clientinstallation properties are publis#ed '#ese settings can remove t#e need to specifyCCMSetup command line properties under certain circumstances! suc# as w#en youinstall t#e Configuration Manager 2007 client using software update point based

installation or use roup /olicy installation

,or more information! see &bout Client 1nstallation /roperties /ublis#ed in &ctiveDirectory

/rovision Client 1nstallation /roperties =sing roup /olicy4ou can use *indows roup /olicy to provision client installation properties oncomputers prior to installing t#e Configuration Manager 2007 client *#en t#e client isinstalled! t#ese properties will be used if no ot#er installation properties #ave beenspecified &n administrative template to provision client computers wit# installationproperties is included on t#e Configuration Manager 2007 installation media

,or more information! see ow to /rovision Client 1nstallation /roperties using roup/olicy

.ow $ig#ts Client 1nstallation 6o .onger Supported1n SMS 200:! users wit#out administrative rig#ts to t#e computer could manually installt#e SMS advanced client '#ese computers would t#en submit a CC$ to t#e site serverw#ic# would initiate t#e installation 1n Configuration Manager 2007! t#is feature is nolonger supported 4ou can install t#e Configuration Manager 2007 client on computerslogged on wit# nonadministrator rig#ts using t#e following met#ods9

Client pus# installation (if a valid client pus# installation account #as been specified)

Software update point based client installation

roup /olicy installation

,or more information! see ow to 1nstall Clients =sing Client /us#! ow to 1nstallClients =sing Software =pdate /oint @ased 1nstallation and ow to 1nstall Clients =singroup /olicy

C&/16S'; is 6o .onger SupportedCapinste"e is no longer used in Configuration Manager 2007 for logon script clientinstallation ,or information about #ow to install Configuration Manager 2007 clientsusing a logon script! see ow to 1nstall Clients =sing .ogon Scripts

Client 1nstallation ,iles are Downloaded from t#e Management /oint over ''/

2G


30/47

1n SMS 200:! client installation files were downloaded from an SM@ s#are on t#emanagement point 1n Configuration Manager 2007! t#e default be#avior is to downloadt#ese files using a ''/ connection 4ou can still use an SM@ s#are to download clientinstallation files! but you must create t#is s#are yourself and specify t#e CCMSetupinstallation property source

,or more information! see &bout Client 1nstallation /roperties

Managing Client 1dentityConfiguration Manager 2007 manages client identity to #elp eliminate duplicate =1Ds,or eac# client computer! Configuration Manager 2007 calculates a #ardware 1D using aproprietary algorit#m to #elp ensure t#at eac# client is uni%uely identified 1fConfiguration Manager 2007 detects a duplicate #ardware 1D! Configuration Manager2007 can automatically create a new client record for t#e duplicate record '#is settingallows you to easily upgrade or deploy clients t#at mig#t potentially #ave duplicate#ardware 1Ds! wit#out re%uiring manual intervention owever! wit# t#is setting! if you

recover a computer and it maintains t#e original #ardware 1D! Configuration Manager2007 will create a new record and you lose t#e #istorical continuity for reportingpurposes 1f you want to manually resolve conflicting records! you can c#ange t#e settingon t#e Site /roperties &dvanced tab so t#at conflicting records will be displayed in t#eConflicting $ecords node 1f you enable manual conflict resolution for all sites in a#ierarc#y branc#! t#en t#e administrator at t#e top of t#e branc# can manually resolveconflicts for all c#ild sites ,or more information! see ow to Manage Conflicting$ecords

*#at?s 6ew in Mobile Device Management for Configuration Manager

'#e Mobile Device Management feature in Microsoft System Center ConfigurationManager 2007 introduces a number of c#anges from t#e version found in MicrosoftSystems Management Server (SMS) 200: Device Management ,eature /ack

Mobile device platform support addedSupport for t#e following mobile devices #as been added9

*indows Mobile 200: Smartp#one

*indows Mobile for /ocket /C 200: Second dition

*indows Mobile for /ocket /C 50

*indows Mobile for /ocket /C /#one dition 50

:0


31/47

*indows Mobile A Standard

*indows Mobile A /rofessional

*indows Mobile A Classic

,or a complete list of supported mobile devices! see Supported Mobile Devices

1nternetbased Client Management Support for Mobile Device Clients1nternetbased client management allows you to manage Microsoft System CenterConfiguration Manager 2007 mobile device clients w#en t#ey are not connected to yourcompany network but #ave a standard 1nternet connection ,or more information aboutconfiguring 1nternetbased mobile device clients! see &dministrator C#ecklist9

Configuring Mobile Devices for a Site t#at Supports 1nternet@ased Client Management

DMConsole removed'#e Device Management Console for t#e mobile device client #as been removed Mobiledevice clients retain a Device Management view under Start Settings

SMSIDefmof for #ardware inventory e"tension now in a defined packageMicrosoft System Center Configuration Manager 2007 administrators no longer #ave todeploy SMSIDefmof to e"tend t#e #ardware inventory & defined Device Management1nventory "tension package now contains everyt#ing needed to target and deploymobile devices ,or more information about e"tending t#e inventory to desktopcomputers for mobile device management! see ow to Distribute 1nventory "tension toClient Desktop Computers for Mobile Device Management

DMScript removedDevice Management Scripts #ave been removed from Configuration Manager DeviceManagement Scripts will not function on a Configuration Manager client because t#eDMScript engine #as been removed &dministrators t#at need t#is functionality areencouraged to use t#e 6' Compact ,ramework and any of t#e 6' languages tocreate command applets to perform t#ese functions

6ew Mobile Device Management $eports'#e following new reports #ave been added to t#e mobile device management feature9

6ew Client Status $eports9

Client &gent Deployment Success

:


32/47

Client &gent Deployment N ,ailure

Client &gents N ealt#y

Client &gents =n#ealt#y

Client &gent ealt# Summary

Client &gent =n#ealt#y N .ocal

,or more information about reports for mobile devices! see ow to =se $eports for

Mobile Devices*#at?s 6ew in +perating System Deployment for Configuration Manager

+perating System Deployment (+SD) provides t#e Configuration Manager 2007administrator wit# a tool for creating images t#at can be deployed to computers managedby Configuration Manager 2007! and to unmanaged computers using bootable mediasuc# as CD or D


33/47

+SD offers a new task se%uence editor wit# many builtin features t#at provide fle"ibleoperating system deployment options bot# wit# operating system deployments and foruse wit# performing ot#er related tasks

*#at?s 6ew in $emote 'ools for Configuration Manager

'#e $emote 'ools feature in Microsoft System Center Configuration Manager 2007introduces a number of c#anges from t#e version found in Systems Management Server200: '#ese c#anges are designed to provide t#e following improvements9

1mproved security

=se of t#e latest communications protocols

1mproved performance

/rovide compatibility wit# new operating systems

6ew $emote 'ools &gentConfiguration Manager 2007 includes a new remote tools agent w#ic# uses t#e Microsoft$D/ protocol '#is is a standard protocol used for applications suc# as $emote Desktopand $emote &ssistance '#e $D/ protocol is supported on client computers running*indows ;/ and *indows 200: Server and above '#e following levels of access aresupported by t#e new remote tools agent9

6o access


34/47

,ull control

$emote 'ools =1'#e following options are no longer included in t#e Configuration Manager 2007 remotetools9

$eboot

C#at

,ile transfer

$emote e"ecute

*indows GE diagnostics

/ing

:>


35/47

*#at?s 6ew in Security for Configuration Manager

Microsoft System Center Configuration Manager 2007 introduces some significantsecurity c#anges from Systems Management Server (SMS) 200:

Configuration Manager 2007 as +ne Security Mode1n SMS 200: you #ad t#e option of standard security or advanced security and advancedsecurity was recommended 1n Configuration Manager 2007! you #ave only one securitymode and t#at mode is e%uivalent to SMS 200: advanced security mode 1n SMS 200:some sites could not comply wit# t#e advanced security re%uirements t#at all sitessystems belong to an &ctive Directory domain! but t#is is now a re%uirement to runConfiguration Manager 2007

1f you are installing a new site! you will not be prompted to c#oose a security mode 1fyou are upgrading from SMS 200:! you must convert your site to advanced security priorto running Setup &fter converting! s#ould delete any accounts t#at will not be re%uired

,or more information! see &ccounts to Delete after =pgrading from SMS 200: 4ous#ould also verify t#at you #ave t#e proper accounts in place for Configuration Manager2007 to function ,or more information! see C#ecklist for Configuration Manager&ccount Security

Configuration Manager 2007 as 'wo Site ModesConfiguration Manager 2007 gives you a c#oice between Configuration Manager 2007native mode and Configuration Manager 2007 mi"ed mode 6ative mode re%uires ane"isting /ublic 8ey 1nfrastructure (/81) implementation! but provides mutualaut#entication between Configuration Manager 2007 clients and servers 1t is t#e mostsecure c#oice Mi"ed mode is provided for backward compatibility wit# #ierarc#ies t#atmust support SMS 200: sites and for organiations wit#out t#e resources to deploy a/81 1f you deploy in mi"ed mode! you #ave t#e option to manually approve all clientsbefore t#ey can Hoin t#e site or you can allow all domainHoined clients to beautomatically approved 1t is possible to allow all clients to be automatically approved!w#et#er or not t#ey belong to a trusted domain! but t#at increases your security risk byallowing unknown clients to Hoin your site

Configuration Manager 2007 Supports +nly +ne Client 'ype1n SMS 200:! you #ad a c#oice between t#e .egacy Client and t#e &dvanced ClientStarting wit# SMS 200: S/! you could install t#e .egacy Client only on *indows GE or*indows 6' >0 clients 1n Configuration Manager 2007! t#ere is Hust one client calledsimply t#e Configuration Manager 2007 client and it is similar to t#e SMS 200:&dvanced Client @efore upgrading to System Center Configuration Manager 2007! youmust remove all .egacy Clients in t#e site #ierarc#y

Configuration Manager 2007 Supports +nly S-. Server *indows &ut#entication1n SMS 200: you configure SMS to access t#e site database server using eit#er S-.Server &ut#entication! previously known as standard security! or *indows&ut#entication! previously called integrated security 1f you used S-. Server

:5


36/47

&ut#entication! you #ad to provide a S-. login for SMS to use w#en accessing t#e sitedatabase Configuration Manager 2007 supports only *indows &ut#entication! meaningConfiguration Manager 2007 uses t#e site server computer account to access t#e sitedatabase Several database roles #ave been added to better control ConfigurationManager 2007 access to t#e S-. Server

1ntersite Communication Security1n SMS 200:! you #ad t#e option of w#et#er or not a site could accept unsigned datafrom anot#er site 1n Configuration Manager 2007! all data must be signed between sitesand t#ere is no option to disable t#e signing re%uirement

&lso! in SMS 200:! secure key e"c#ange was not enabled by default between sites 1nConfiguration Manager 2007! t#e re%uirement for secure key e"c#ange between sites isenabled by default for fres# installations

Client /us# 1nstallation Can =se ComputerO &ccount

ven if your SMS 200: site used advanced security! you #ad to configure a user accountto perform Client /us# 1nstallation 1n Configuration Manager 2007! if you do not #ave auser account configured! Configuration Manager 2007 will try t#e site server computerOaccount 1f no client pus# installation accounts are defined! and if t#e computerO accountdoes not #ave administrative rig#ts to t#e client computer! Client /us# 1nstallation willfail

1mportant&dding t#e site server computerO account to t#e Domain &dmins global group is notrecommended because it is e"cessive privilege & better alternative is to add t#e siteserver computerO account to a different global group! t#en use roup /olicy to add t#eglobal group to t#e local &dministrators group as a restricted group ,or moreinformation! see Microsoft 8@ article :200A5 ! Bow to Configure a lobal roup to @ea Member of t#e &dministrators roup on all *orkstationsB

Security Configuration *iard elps Secure Site $oles*it# t#e release of *indows Server 200: S/! t#e Security Configuration *iard (SC*)provides server #ardening based on t#e roles performed by t#e server ConfigurationManager 2007 templates can be added to SC* to provide t#e recommended securityconfiguration for Configuration Manager 2007 site system roles $unning t#e SC*replaces t#e previous security recommendations to run 11S .ockdown and =$.Scan onConfiguration Manager 2007 roles t#at re%uire 11S @ecause t#e SC* provides anautomated way to #elp secure servers! t#e manual #ardening c#ecklists for 11S and S-.provided in BScenarios and /rocedures for SMS 200:9 SecurityB are no longer provided

@efore you can run t#e SC* on your site server and site systems! you must completesome manual steps ,or more information! see ow to Configure *indows SC* forConfiguration Manager

:A


37/47

=pgraded &dministrators Do 6ot ave &ccess to &ll +bHects&fter upgrading! t#e user w#o ran t#e upgrade #as access to all of t#e obHects in t#eConfiguration Manager 2007 console but e"isting administrators #ave access only toobHects t#at e"isted prior to upgrade '#is is true even for software updates obHects =sers

w#o #ad full rig#ts to all SMS 200: software updates obHects will #ave full rig#ts to t#esame obHects in Configuration Manager 2007 but will not #ave any rig#ts to new obHecttypes suc# as templates

&ccount C#anges@ecause standard security and t#e .egacy Client are not used in Configuration Manager2007! any accounts related to t#ose configurations are no longer needed ConfigurationManager 2007 does not create any user accounts during Setup or client installationSeveral new accounts are introduced in Configuration Manager 2007

&ccount 6ame =sed for

Site System 1nstallation account1nstalling and configuring site systemsealt# State $eference /ublis#ing account6etwork &ccess /rotection publis#ing to &ctive Directory Domain Servicesealt# State $eference -uerying account6etwork &ccess /rotection %uerying from &ctive Directory Domain ServicesCapture +perating System 1mage accountCapturing images for operating system deploymentsSoftware update point pro"y server accountSync#roniing t#e software update catalog! if your pro"y server re%uires aut#entication'ask Se%uence ditor Domain Poining account'ask se%uences in operating system deployment t#at re%uire a security conte"t to Hoin adomain/ro"y &ccount for 1nternetbased clients1nternetbased clients t#at need to aut#enticate to a pro"y server w#en accessing t#e1nternet

'#e SMSISiteSystem'oS-.Connection group is no longer needed because databaseaccess is controlled by S-. Server roles t#at are automatically created duringConfiguration Manager 2007 Setup ,or more information! see &bout t#e Database $olesfor Configuration Manager

:7


38/47

& new group! t#e ConfigMgr $emote Control =sers group! #as been added to contain t#emembers of t#e /ermitted


39/47

*#at?s 6ew in Software Distribution for Configuration Manager

*it# t#is release! Microsoft System Center Configuration Manager 2007 e"pands t#eabilities of system administrators to centrally manage computers effectively @uilding ont#e capabilities provided by System Management Server (SMS) 200:! Configuration

Manager provides a refined tool set for software distribution t#at includes t#e followingnew c#aracteristics9

@ranc# Distribution /oints& new Configuration Manager server role! t#e branc# distribution point allows smalloffice locations to #ost packages on workstation computers wit#out re%uiring a secondarysite to be #osted '#is is particularly useful for offices wit# fewer t#an ten workstations!w#ere maintaining a separate server for a secondary site mig#t not be practical

@ranc# distribution points function in muc# t#e same fas#ion as standard distributionpoints! but #ave t#e advantage of providing greater control over network traffic!

necessary for branc# offices t#at may #ave limited network bandwidt# availability@ranc# distribution points allow not only allow for manual content provisioning! but alsoprovide configurable settings for sc#eduling and t#rottling network traffic! @1'S(@ackground 1ntelligent 'ransfer Service) enabling! to #elp minimie network impact&dditionally! ondemand package distribution are allowed! in w#ic# packages are onlydownloaded to t#e branc# distribution point w#en specifically re%uested by a clientcomputer

,or more information! see &bout @ranc# Distribution /oints

Ma"imum &llowed $un 'ime /rogram &ttribute& program attribute t#at e"isted in previous versions of Configuration Manager!Ma"imum &llowed $un 'ime #as taken on greater significance in ConfigurationManager 2007 1f a program is advertised to a collection t#at is utiliing maintenancewindows! t#e value of t#e Ma"imum &llowed $un 'ime attribute is used to determinew#en and if t#e program can be run wit#in t#e allotted window ,or instance! if t#e runtime is set to G0 minutes! but t#e collection it is advertised to only #as a maintenancewindow of A0 minutes! t#at program will not run "ceptions to t#is can be set! in t#eform of options to disregard e"isting maintenance windows! but care s#ould be taken toensure t#at t#is attribute is accurate

'#is value can be set w#en creating a program in t#e 6ew /rogram *iard! or on t#e$e%uirements tab of t#e /rogram /roperty page for e"isting programs @y default! t#isvalue is automatically set to 20 minutes

,or more information on maintenance windows and t#eir interaction wit# t#e ma"imumallowed run time attribute! see &bout Maintenance *indows and /rogram $un Scenariousing Maintenance *indows

1mproved /rogram rerun be#avior

:G


40/47

Software distribution now e"poses program rerun be#avior options to administrators to agreater degree t#an previously '#e number of available be#avior options #as alsoincreased '#ese can be seen w#en configuring a new or e"isting advertisement and allowadministrators greater fle"ibility in determining w#at rerun be#avior is most appropriatefor eac# specific advertisement &dditionally! Configuration Manager prevents

administrators from selecting an incompatible program rerun option

,or more information on program rerun be#avior! see &dvertisement 6ame /roperties9Sc#edule 'ab

reater control over program run and restart notifications*it# Configuration Manager 2007! users now #ave greater control over many programrun and notification settings &dministrators can now set bandwidt# t#rottling! systemrestart countdown and restart notifications on t#e Computer Client &gent! advertisedprogram notification and program run countdown settings on t#e &dvertised /rogramsClient &gent! and collectionspecific restart and policy polling settings on t#e collections

t#emselves

@randing support for client agentSoftware distribution provides now support for customied branding t#roug# t#eComputer Client &gent '#is allows administrators to use customied organiationspecific te"t to be displayed on t#e client computer! suc# as wit# t#e $un &dvertised/rograms dialog bo" &dditional custom branding can be used for t#e softwaredistribution! software updates! and operating system deployment features

,or more information! see Computer Client &gent /roperties9 Customiation 'ab

@inary Delta replication&lt#oug# delta replication #as e"isted in previous versions of System ManagementServer! t#is #as previously been available only on t#e file level ,or instance! if a filewit#in a package or program c#anged! filedbased delta replication would copy t#ec#anged file to distribution points (and ot#er destinations) instead of copying t#e entirepackage *it# binary delta replication! only t#ose specific c#anges wit#in a file arecopied to t#e destination! t#ereby greatly reducing t#e network traffic involved '#is canbe used on a sitetosite! sitetodistribution point! or standard distribution pointtobranc#distribution point basis

,or more information about binary delta replication! see &bout @inary Differential$eplication

1ncreased Default Cac#e Sie*it# t#e release of Configuration Manager 2007! t#e sie of t#e cac#e for storingpackages w#en t#ey?re downloaded #as increased dramatically! from 250 Mb in sie to520 Mb @ecause w#en a package must be downloaded! it competes wit# ot#er! oftenolder packages for t#e available space in t#e cac#e! in t#e past t#ese older packages mig#tbe deleted to free enoug# space to place t#e new package in t#e cac#e ,or very large

>0


41/47

packages! downloading mig#t not #ave been possible at all if t#e sie of t#e package (orimage) e"ceeded t#e sie of t#e cac#e *it# t#e increased default cac#e sie! #owever!t#is is far less likely to #appen! and older packages will remain in t#e cac#e and availablelonger

&dvertisements 6ot $eplicated to Secondary Sites1n SMS 200:! all advertisement information was sent to bot# secondary and primary sitesbecause .egacy Clients could be assigned directly to secondary sites owever!Configuration Manager 2007 does not use .egacy Clients! and all clients can only beassigned to a primary site

@ecause of t#is! Configuration Manager no longer replicates advertisement informationto secondary sites! resulting in significant performance improvements and savings innetwork bandwidt#

>


42/47

*#at?s 6ew in Software =pdates for Configuration Manager

'#e software updates feature was introduced wit# Systems Management Server (SMS)200: and provides a set of tools and resources t#at can #elp manage t#e comple" task oftracking and applying software updates to client computers in t#e enterprise '#e same

basic obHectives are ac#ieved! but software updates in Configuration Manager 2007provides more advanced configuration options and utilies new components andimproved tec#nology to ac#ieve t#ese obHectives

Software =pdate /oint Site System $ole'#e software update point is installed as a site system role in t#e Configuration Managerconsole ac# site must #ave an active software update point before t#e software updatesfeature is enabled & second software update point can be installed to #andle t#ecommunications from 1nternetbased client computers '#e software update point sitesystem role must be created on a server t#at #as *indows Server =pdate Services(*S=S) :0 already installed and configured '#e software update point provides t#e

communication wit# *S=S and sync#ronies wit# t#e *S=S database to retrieve t#elatest software update metadata from Microsoft =pdate! as well as locally publis#edsoftware updates ,or more information! see &bout t#e Software =pdate /oint

Software =pdates Client &gent'#e Software =pdates Client &gent in Configuration Manager 2007 is enabled bydefault! and client agent components are installed on client computers wit# t#e ot#erConfiguration Manager client components '#e Software =pdates Client &gent #andlesscan re%uests for software updates compliance! software update evaluation re%uests!deployment policies for t#e client! and content download re%uests ,or more information!see &bout t#e Software =pdates Client &gent

Software =pdates Compliance Data on ClientsConfiguration Manager 2007 no longer uses #ardware inventory to report t#e compliancefor software updates on Configuration Manager 2007 client computers Client computersnow create state messages t#at contain t#e compliance assessment data and send t#esemessages to t#e management point! w#ic# in turn sends t#e data to t#e site server '#ecompliance assessment data is displayed in t#e Configuration Manager console and inSoftware =pdates compliance reports

1nventory Scan 'oolsConfiguration Manager client computers no longer use a variety of inventory scan toolsto scan for software update compliance! but instead t#e *indows =pdate &gent (*=&)on client computers '#ere are several inventory scan tools in SMS 200: t#at scan clientcomputers for software update compliance *#en a site is upgraded to ConfigurationManager 2007 and t#e 1nventory 'ool for Microsoft =pdates is found on t#e site server!most likely t#e central site! t#e tool is automatically upgraded &fter t#e upgrade! t#e1nventory 'ool for Microsoft =pdates is fully operational for SMS 200: client computersat t#e site! t#e 1nventory 'ool for Custom =pdates is supported! but wit# conditions! andt#e ot#er scan tools #ave very limited support =sing t#e scan tools on Configuration

>2


43/47

Manager 2007 client computers is not supported ,or more information! see /lanning t#eSMS 200: Software =pdates =pgrade

Software =pdate @undlesSMS 200: displayed t#e same software update multiple times in t#e SMS &dministrator

console for eac# language and product for t#e update Configuration Manager 2007 #asintroduced t#e concept of software update bundles! w#ere a software update is displayedonly once in t#e Configuration Manager console Software update deployments areinitiated by selecting t#e bundle update! and w#en creating t#e deployment t#eadministrator can define w#ic# language specific update files will be downloaded andmade available to client computers

Software =pdates SupersedenceSupersedence is w#en a new software update contains t#e same fi"es t#at were in apreviously released software update 1n t#e past! new and previously released softwareupdates! w#ic# contained t#e same fi"! mig#t #ave bot# been marked as re%uired w#en

t#e only one t#at was necessary was t#e newer software update

1n Configuration Manager 2007! software updates uses t#e *indows =pdate &gent w#ic#partially addresses t#e issue of supersedence *#en new software updates are releasedt#at contain fi"es for previously released updates! Microsoft =pdate is refres#ed wit#information relating to t#e new software update and any software updates t#at itsupersedes &s client computers scan for software update compliance! any re%uiredsoftware updates t#at supersede previous updates are returned wit# compliance state butt#e previously released software updates are not returned '#e e"ception to t#is is w#en aService /ack contains a re%uired software update '#e *indows =pdate &gent returnsbot# t#e software update and t#e service pack wit# a re%uired compliance state '#isprovides administrators wit# t#e fle"ibility to deploy individual software updates or fullservice packs

Deploying Software =pdatesSoftware updates are deployed to client computers using t#e Deploy Software =pdates*iard! muc# like it is in SMS 200:! but new obHects #ave been introduced and t#ere#ave been c#anges to t#e deployment process '#e following sections briefly describet#ese c#anges

DeploymentsConfiguration Manager 2007 no longer uses advertisements for delivering softwareupdates Software update deployments are now used as t#e ve#icle t#at delivers softwareupdates to client computers '#e deployment properties contain t#e relevant informationabout t#e software updates in t#e deployment! t#e target collection! t#e settings t#atimpact client be#avior w#en running t#e deployment! t#e deployment sc#edule settings!and so on *#en a deployment is created! client computers receive it as part of t#eConfiguration Manager policy ,or more information! see &bout Software =pdateDeployments

>:


44/47

Deployment /ackagesDeployment packages are used to #ost t#e files for t#e software updates in a deployment!muc# like t#at of software distribution packages '#e main difference is t#at t#edeployment package is used to get t#e files to t#e distribution points! but once t#atprocess completes! client computers will access t#e software update files from any

package s#ared folder on any distribution point regardless of w#et#er t#e package wasdefined in t#e deployment t#at targeted t#e client *#en t#e client computer receives anew deployment! it determines w#ere t#e software update files are located! independentof t#e deployment! and install from t#e preferred location ,or more information! see&bout Deployment /ackages in Software =pdates

Selective DownloadConfiguration Manager 2007 provides selective download tec#nology '#is tec#nologyallows a deployment package to contain a large number of files! but client computers willretrieve only t#e files t#at are re%uired ,or e"ample! if a client receives a deploymentt#at contains ten software updates but only two of t#em are re%uired on t#e client

computer! t#e client will connect to t#e distribution point and download only t#e files t#atit needs

Deployment 'emplatesDeployment templates provide t#e ability to save a set of deployment properties for usein future software update deployments *#en a deployment template is used in creating anew deployment! it populates t#e deployment wit# t#e preconfigured properties '#isprovides consistency among deployments wit# similar re%uirements and saves a lot ofadministration time ,or more information! see &bout Deployment 'emplates in Software=pdates=pdate .ists=pdate lists provide t#e ability to initiate a deployment for a set of software updatescontained in t#e list =sing t#e update list provides several benefits w#en deploying andmonitoring software updates and is! t#erefore! part of t#e recommended software updatesworkflow =pdate lists allow administrators to create a deployment from t#e update listinstead of manually selecting t#e set of updates every time a new deployment is created'#ey allow administrators to use reports for specific update lists to monitor t#ecompliance for t#e software updates and #elp to troubles#ooting updates contained in t#elist =pdate lists also allow administrators to create update lists wit# approved updates!and t#en delegate t#e responsibility to deploy t#e update lists ,or more information! see&bout =pdate .ists in Software =pdates

6etwork &ccess /rotection6etwork &ccess /rotection (6&/) is a policy enforcement platform built into t#eMicrosoft *indows >


45/47

Configuration Manager System ealt# 5


46/47

*#at?s 6ew in Software Metering for Configuration Manager

'#e software metering feature in Configuration Manager 2007 introduces a number ofc#anges from t#e version found in Systems Management Server 200:

'#e following section lists some new features found in Configuration Manager 2007software metering9

&utomatic Software Metering $ule enerationConfiguration Manager 2007 allows you to configure software metering to automaticallygenerate disabled software metering rules from recent usage inventory data #eld in t#eConfiguration Manager 2007 database '#is feature can be configured so t#at onlyapplications used on a specified percentage of computers will #ave metering rulescreated 4ou can also specify t#e ma"imum number of automatically generated softwaremetering rules allowed on t#e site

*#at?s 6ew in t#e Configuration Manager Console

'#e administrator console #as been updated for Microsoft System Center ConfigurationManager 2007 Several key features now #ave #ome pages t#at summarie informationabout t#at feature! including grap#s and reports t#at you can access from t#e #ome page

'#e following section lists some new features in t#e Configuration Manager 2007console

Multit#readed Console +peration1n SMS 200:! t#e SMS &dministrator console was single t#readed and you could beblocked from completing actions in one snapin w#ile an action completed! so it wasuseful to connect multiple times to t#e same site in one MMC window and t#en switc#between t#em as needed

1n Configuration Manager 2007 you can connect only one time to t#e same site in anMMC window! but because t#e Configuration Manager 2007 console is multit#readed! itcan perform several actions simultaneously! eliminating t#e need to switc# w#en anaction is running

Drag and Drop1t is now possible in Configuration Manager 2007 to drag some obHects to ot#er obHects,or e"ample! you can drop a program onto a collection to create an advertisement

&dministration ,eature /ack 1ntegration'#e 'ransfer Site Settings *iard and Manage Site &ccounts tool were available as partof t#e &dministration ,eature /ack for SMS 200: but in Configuration Manager 2007t#ey are installed by default

'o run t#e 'ransfer Site Settings *iard

>A


47/47

1n t#e Configuration Manager console navigate to System Center ConfigurationManager Site Database Site Management Qsite codeR Qsite nameR

$ig#tclick Qsite codeR Qsite nameR and t#en click 'ransfer Site Settings

6ote4ou can also start t#e wiard by rig#tclicking t#e Collections or /ackages nodes

&fter you #ave e"ported an ;M. file from t#e 'ransfer Site Settings *iard! you can uset#e command line version of t#e 'ransfer Site Settings *iard! $epl

01-microsoft system center configuration manager 2007

Documents