Microsoft System Center Configuration Manager 2007 – NAP (Network Access Protection)


Microsoft System Center Configuration Manager 2007 – NAP (Network Access Protection)

 

NAP (network access protection). To be honest in regards to NAP and SCCM there is not much you need to know. If you don’t know what NAP is or how it work’s I recommended you read up on it.

It’s also worth noting NAP will ONLY work with SCCM installed on Windows Server 2008 and above (although it can be configured on Server 2003 SCCM) the NAP server must be 2008.

Let me start with a VERY basic overview of NAP and also what it does.

Let’s look at the diagram below. You have just purchased the best, most expensive, secure firewall known to man. Nobody from the outside is getting through the firewall to cause havoc on your network.

But what about Mr Joe Bloggs, who went home, got a virus and Monday morning comes in and happily plugs his laptop on to the network…..You’re firewall isn’t much good now.

NAP allows you to control those machines which do not comply with your NAP policy to be “quarantined” in a remedial network.

For example your nap policy might require the user has windows firewall turned on, and has the latest updates/antivirus updates.

IF it does not have this it is placed in to a remedial network with limited access, only access to servers which will allow the client to update to comply with your NAP policy.

Once it comply’s with your NAP policy it is allowed access to the production network.

Let’s now look very briefly how you would configure it in SCCM

Scroll down to Network Access Protection and right click > new policy

In this example, I’ve selected the update (we created in an earlier blog).

Setting “as soon as possible” is not always wise. You need to allow time for clients to process the update before you enforce it.

Review and click finish

We have now created a NAP policy. The above policy works with NAP to this update MUST be present before being allowed on to the network. If it’s not then (depending on your NAP setup) it will be placed on a different subnet allowing it access to a WSUS server to obtain the update. Once present it will be allowed on to the production subnet.

That’s that!, I chose not to go through all the steps required for configuring a NAP environment, that is outside the scope of this exam, but if you have done previous exams (70-642 for example, or even the exchange exams) it will cover NAP in-depth as well as how to configure a NAP environment.

Microsoft System Center Configuration Manager 2007 – Remote Tools & WOL (Wake On Lan)


The ability to “remotely” control a client’s PC is one of the major benefits to any helpdesk or organisation. No longer is the need there to drive to the client site, you can do it from the comfort of your own desk/home/bed!

SCCM has a number or remote monitoring tools available to you as the administrator, and we will look at covering those off as well as the below in this blog:

  • Enabling remote tools
  • Enabling WOL (Wake on lan)
  • Using remote tools
  • Leveraging WOL in your environment
As always, lets make sure the remote tools client agent is enabled

A few options you want to be careful of here. “Ask for permission when an administrator tries to access clients”. Remember if this is selected it means if you wish to remotely control a remote server someone will need to click the “allow” box in front of the server. Whilst it might seem like a good idea for client’s, I personally would chose to deselect this option and simply alert the client when you have remote control (which will be found in the notification tab)

Here we choose which users can use the remote tools from the SCCM console

Here we can set the notification options for the client (when requesting/when you have) remote control

Choose whether to allow remote assistance or not

Likewise the same with remote desktop

Now we have these enabled and configured, lets browse to a collection

Right click the workstation and let’s see what remote tools we have available to us

As you can see we have a fair few. In this example I will send a request for remote assistance

If we switch over to the client PC this is the alert they receive

From our side of things (the SCCM console) this is our view once the user accepts our request. As you can see we are in view only mode at the moment

You can chat with the user in the chat box

Now we need to take control select “take control”

The user receives the following

From our side we are alerted we are now in control

Allowing us to troubleshoot the problem

In another example, I can right click and select to bring up the clients event viewer. (Very handy).

That is pretty much that for remote tools, they are all fairly self-explanatory!

Moving on to WOL (Wake on lan). You have to remember there are a few steps you need to make sure are covered off BEFORE enabling it in SCCM.

  1. Wake on lan is enabled in the BIOS
  2. Wake on lan is enabled on the network card properties (from within the OS)
Once these are OK, we can move to SCCM and enable it from SCCM.
Select your site and right click > properties

Select the wake on LAN tab

Enable WOL

You will be alerted to the below: (click OK for now)

View the advanced settings and make any changes you need to

WOL is now enabled (click OK)

We now need to install the out of band service point site

Once installed double click to make sure the settings are how you want them

Review and click finish

If we right click and select properties we are able to adjust any of those settings now

The final step is to enable WOL in the “advertisements”. For example installing VLC, we will enable SCCM to send a magic packet to wake up the client and install VLC

Simply select enable wake on LAN

And that’s that. A relatively simple and small blog, but an important one, especially if you can’t install software during the day and choose to do it out of hours, WOL will be very beneficial.

Microsoft System Center Configuration Manager 2007 – Desired Configuration Management


DCM allows you to monitor your client machines to make sure the clients are fully compliant and running the correct configuration you wish to enforce.

For example, with Adobe Reader there is a registry key you can add to help improved the optimisation. You can use DCM to check the client machines to make sure the registry setting is set to enabled (as this helps improve end user experience). If it find cases where clients are running with the registry key disabled it can alert you.

We will look at covering in this blog:

  • The client agent
  • Baseline & Configuration Items – Elements you wish to monitor
  • Reports & Compliance – Allow you to report on the above captured data
  • Preconfigured Baselines

Let’s get started then, navigate to the client agents folder and let’s make sure DCM client agent is enabled.

There really aren’t too many settings, apart from the schedule you wish DCM to run. Like most default option’s its set to 7 days.

Now let’s navigate to the DCM component and expand this.

You will notice by default there are not set configuration items or baselines. Which means we will need to create our own.

Before I do this, I’m going to flick over to MRPCX02 and create a new registry key with a value of 5 in the VLC folder <hklm\software\videolan\>

This is the registry key DCM will be scanning for

Right click configuration items and select NEW>Application configuration item

Enter a name, and chose a category (there are a couple of pre-defined categories) for making it easier to search, in this instance I will create a new group.

If you have access to the .MSI you can chose for DCM to scan for the MSI first before (to make sure the program is installed/should be installed).

In this case I will assume it is always installed.

On the next window we can chose to select the item we wish to scan for. Select Registry Key

Enter the location of the registry key

You will see I’ve made a mistake in the screen shot below (It should read: software\VideoLAN\VLC\test)

We’ve now added the registry key successfully. Select next

The next part is where we configure what the setting of the registry value should be. Select Registry (you can see there are many options for monitoring IIS/AD etc..)

Enter the value of the registry setting

We’ve now added the value, we also need to now validate this (what happens when it discovers this key)

Click validation

In this case if the value does not match 5 then alert with a warning

You can now choose which systems this is compatible with

Finally review the settings and click finish

We now have our new configuration item

We can now define our base line policy (to which clients should ad-hear to).

Select new configuration baseline

Fill out the below applicable to you (I’ve chosen to associate this with the XPClient group I created above)

On the next page you will see the various different options we can use to define if a client is compliant.

In our case we will use the third option down

Select the configuration item we created

Once complete click next

As a side note we don’t just need to select one option. We could also chose DCM to check certain updates are installed

Review the settings and click finish

Now we have our baseline, we need to assign this to a collection. In this example I will assign to the XP Systems collection.

Select assign to a collection

Select the baseline you wish to use

Choose the schedule you wish to use

Now we have defined our baseline we need to be able to report on it. If we click on to reports you will see a number of pre-defined reports for compliance

Select a report to run

And fill out the required details

Obviously as the elapsed time has yet to run it will show no results but you get the idea..

Finally I’ll show you a handy little download from Microsoft.

This configmgr pack contains a number of pre-defined base lines.

Install as usual

Now what we will do is import this .cab file in to SCCM

Right click > Import Configuration Data

Add the .cab file

This show’s us the items it will be importing

Click finish to start the import

Now if we refresh the DCM folder, we will see these pre-defined baselines and configuration items

Baselines:

Configuration Items

It’s always handy to have a browse through the settings of these pre-defined items just to get a better understanding of “how they work”.

 

Microsoft System Center Configuration Manager 2007 – Software Metering


In this short blog we will be looking at software metering and usage.

Wouldn’t it be nice to see if the user’s who have requested some expensive piece of software are actually using it and need it, as oppose to just “wanting it” because someone else does!

We start with the client agent (like normal), and making sure the software metering client agent is enabled

By default the schedule is set to a week (to retrieve the information from clients). You can change this to suit

Once enabled client side let move down to the software metering section under computer management

You will see there are a number existing software metering rules in place for a range of default programs. As you can see all of them are set to disabled by default

Lets enable software metering for the default rule “notepad.exe”

Right click > properties, and we can take a look at what this rule is actually made up of.

We specify a file name, version, and also the usual security permissions

Now we have a brief idea of what “goes in” to a software metering rule lets create our own.

This rule will meter the usage of Microsoft Word (any version)

I’ll leave the default security settings

We now have our software metering rule.

Now we have our rule we need to report on it, let’s drop down to reports, we will see there are a number of pre-defined software metering reports.

In this example i’ll use the below pre-defined report

Select “run”

And fill out the required details

As we’ve only just created this rule there is no data (remember it run’s once a week by default) but you get the idea of where to find this information when you need it.

Microsoft System Center Configuration Manager 2007 – Deploying Software Updates


A major part of any IT infrastructure is to make sure that all your clients are patched and full up to date. SCCM makes our lives easier (and if you’ve used WSUS – Windows Server Updates Services before) – you will seem the similarities (as SCCM works with WSUS).

This should be a fairly short blog (although as you’ll see the waiting for the SCCM server to pull down / query all the available updates will take the most time!).

We will look at covering:

  • The WSUS Installation – as SCCM works WITH WSUS
  • Software Update Client Agent & Site Role
  • Deployment Templates
  • Deployment Packages
  • Updating Computers

Before we go any further, if you haven’t already you will need to download WSUS. In this example I will be installing WSUS 3.0 SP1 (and then applying SP2).

Once you have the installable download from Microsoft, run the installation and follow the installation wizard. When you get to the part regarding IIS (personally) I always chose to install to a NEW IIS website. It just helps with maintaining and also if any corruption should occur you are only effecting this, and not additional sites which all run under the default website.

Also please make a note of the ports used for this new IIS instance as you will need to update SCCM later with them!

*Remember make a note of the below ports*

Now we have completed the WSUS installation, we can move back over to the SCCM console and complete the required configurations steps within here.

Like with most other SCCM “features” we need to make sure the agent is enabled. Browse to Client Agents and make sure the Software Updates Client Agent is enabled.

You will see we have a couple of other configurable options within here, whether or not to force installations to clients as well as hiding the deployments from the end user.

We can chose a schedule for “re-evaluation” deployments. I.E if an update has previously been installed but can no longer be found.

Now we have configured the agent settings, we need to add in a new site system point.

Right click and select “software update point”

Follow the usual installation and select finish

Now let’s go in to the properties of the newly installed site role.

Remember when I said to make a note of the IIS port numbers, this is where we need to enter those two port numbers (as they are not using the default IIS ports).

We will be directly synchronising from Microsoft Update. We can also choose whether or not to create reporting event. (E.g do you want to see what is going on with the client – the installation progress/update progress). It’s up to you but I would recommend in this case selecting create all WSUS reporting events.

By default updates are synchronised every 7 days, depending on your environment you can chose longer or shorter, but 7 days is all we require for now

Next we can select which type of updates we wish to sync.

We can also pick for which products we wish to synchronise. There is no point sync’ing all the products (Exchange/IAG etc.) if we are only Server 2003/SQL 2005 and XP/office

Again, save yourself some time and space and only sync the required languages. Simply deselect any you don’t require.

Now we have configured this part. Let’s run a synchronisation with Microsoft. Browse to Software updates > Update repository > Right click > Run Sync

You will notice there is only one folder listed within the update repository at the moment

Here’s where you may as well go and do something else…Personally I left mine for a day as if you check the sync log you will see just how time consuming and how many updates will be processed

When this finally finishes, refresh the console and you will now see folders of all those updates you ticked during configuration.

We can then drill down in to all updates

And if we look at all those for XP we can see it lists Unknown and Total as 4 (in the majority of the cases) as SCCM currently does not know the status.

You will also see Deployed is: No

Before we can deploy the updates, we need to create a deployment template. Browse to Deployment Templates and select New

Follow the wizard as below

Select which collections you wish to include in this template

In this example I’ll be deploying to all XP machines

I will choose to hide the notifications

As well as choosing not to restart if required

I don’t have MOM running so can ignore this but these are the same settings as covered in a previous blog

If you have boundaries setup you can chose to not install or download the updates from the local distribution point.

Not applicable for this lab but if you still have an older SMS environment (2003) you can choose to deploy to them.

Review the settings and click Finish

We can now go back to the list of updates available. Right click a single update (or select multiple updates), and right click > Update list

We will now create a new update list

Choose the name, and package source (I’ve created a folder in c:\sourcefiles\updates)

Choose a distribution point (in our case we only have the one)

Choose to download the software from the internet (or if the SCCM server has not “outside world” access, you can choose to download from a secure share on your network)

Again select the languages you need

Select any additional security

Review and click finish

If we now check the update lists you will see the new list we have created

If we right click on here we can now deploy the software updates

Name the deployment

Chose the existing template (we created earlier)

choose when to deploy the updates, and if a deadline is required/WOL is requires.

If you are using NAP you can chose to include this as a requirement

Review and Finish

You may think it should appear in packages (where we deployed adobe and VLC from) but if you check it’s not listed

This is because it is actually listed under deployment management. If you drill down you will see the new deployment package located in here.

If we right click > properties, we can see all of the configuration options we have just configured.

And finally, once the update has been deployed if we refresh the console we should now see it showing as deployed to one workstation (I only have MRPCXP01 powered on at present).

Microsoft System Center Configuration Manager 2007 – Operating System Deployment


Now were talking!.. Operating system deployments. I’m warning you now this is a fairly long blog, not because it’s particularly difficult but because there are many different parts which make up the overall “OS deployment”.

Ideally you need to be fairly familiar with WinPE (Windows Pre Installation Environment), .WIM file formats (Microsoft format for windows imagine management), and PXE booting, if you have never touched on them it will be worth your while having a quick 10 minute read up on each.

What types of images are we going to be working with then?

  • Boot Image
  • Install Image
  • Capture Image
We will be covering off task sequences (which is how and in what order items are completed). As well as the PXE site system role (for those machines in your environment which PXE boot).
As I said above, it’s not too complex just many parts. Let’s get straight in with enabling the PXE service point. We should be more than familiar with adding site system roles now so add the PXE service point as below

Select yes

Define the options you wish to use. (You may or may not want to set a password). You may not want to respond to requests on all network interfaces. It’s up to you

Again the below are fairly self-explanatory

Click finish

Now we can navigate to the OSD (Operating System Deployment) menu.

Before we start rolling out operating systems, we need to define a package to INSTALL the SCCM client. Otherwise we will be rolling these images out and won’t be able to manage them!

As the SCCM agent is a defined package already we can easily add this (I won’t explain to much as we covered packages in the last blog).

Now we’ve added the SCCM client package, if we navigate to boot images you will see by default we have an x86 and x64 version.

Right click > properties to change any of the default settings.

If you wished to add a new boot image you would simply select “Add boot image” then follow the wizard

Now we have our boot image, we need to supply an operating system. (Once the system boots it needs to be able to install an OS)

Browse to the sources folder (in this case I’m using the windows vista CD)

Fill out any required details

If you right click > properties you can again edit any of the settings you just entered

Now we need to supply the operating system install package. I have the vista OS copied to a folder, and in the below example I’m simply browsing to the CD stored locally. At present we can now boot, find an OS but we need to know the location of the installation packages…

IF you have any special or required drives to be installed, you can supply these by right clicking drivers and creating a new driver location

Once it has searched the location for drivers it will now try to import these

Type a name for these drivers

Select the location you wish these drivers to be added to

You can chose to inject the drivers in to the boot images if required

Once the drivers have been imported we can then continue.

Next we come to a task sequence. This is where we specify what actually happens and in which order

Right click > new task sequence, and we will select install an existing image package

As usual fill out all the required details

Select the required boot image

Select the operating system image

Choose if you wish the computer to be joined straight on the domain or simply a workgroup.

If you wish to capture any user/network or windows settings you can do so

In this case I won’t be

I don’t wish to install any updates for now

On the next page include the SCCM client agent as a package to be installed

Click finish and close

If you right click > properties you can see we now have lots of additional options and also the option to specify variables should something not complete successfully.

Finally we need to advertise this (like we did with the software deployments).

It’s the same as in the last blog so I won’t go in to detail again….

PLEASE PLEASE PLEASE make sure you choose to access the content from the server. If you download it, when the client formats the drive during the OS deployment well guess what there goes all the files needed to complete the deployment!

Now we have our sequence, if you wanted to create standalone media for this (say for an engineer to take out in to the field) right click and choose which ever option you require

All fairly self-explanatory!

Using the same method as above (creating a task sequence) we will now build and then capture the OS image. We are effectively building it then sucking in all the information to create an operating system image. You will see every step is exactly the same as above with exception to the end where you actually do the capture.

Here is the difference, we now specify a location for the .wim file to be created

You can then click finish to complete the capture above.

There we have it, how to deploy an operating system via SCCM. Wasn’t too hard after all was it!

Microsoft System Center Configuration Manager 2007 – Software Distribution Practical


Back to getting hands on with SCCM in part 2 of Software distribution (the practical) blog.

I’ll get straight in to it as we’ve got a fair amount to cover in this blog, but I’m going to cover off the various elements which make up software distribution as a whole:

  • Distribution Point
  • Packages
  • Programs
  • Advertisements
  • Branch Distribution Points
Let make sure before we go any further that the client is configured for software distribution. Right click Advertised Programs Client Agent Properties from within client agents.

If this is not already enabled then lets enable it

We don’t have to worry too much about the notification at this point, you will see this later on and can change accordingly.

Now we know the client side should be OK, we need to check server side is OK as well.

Make sure we have the ConfigMgr distribution point set as a standard distribution point.

This is also where you can chose which remote computers can become branch distribution points.

If you using SCCM within a protected boundary, you can adjust the settings within the ConfigMgr site system options, as well as changing the account used.

For example you may wish to include only a certain subnet, or existing site boundary. In our case we only have the one site so this does not matter.

I’ now going to create a new shared folder called SourceFiles (c:\sourcefiles). I’m going to use this directory to start storing all the files required for app deployment and operating system deployment (to be covered later).

Make sure the computer has full access to this share

Expand software distributions, and you will be presented with two sub folders. Packages and Advertisements.

Right click and select new Package

We will now start to create a package we wish to deploy. In this example I am using Adobe Reader to deploy

On the second page select the location the .exe or .msi file is located

One quick check it’s worth making is the software distribution properties is set to store packages on the same drive you wish to use

You can also specify additional options but for this example we can ignore them and leave the default.

Back to the new package wizard, we wish to access the folder via the ConfigMgr share. This is a hidden share created by default

We can now set the priority, again leave these default. You can also chose to automatically down the content or chose to manually do this and manually publish to distribution sites.

Leave the MIF section as default

Click next and then Finish.

We’ve now created our first package.

If you right click  > properties you can adjust any items if required.

In the navigation pane (once refreshed) you will see your newly created package.

Access account is fairly standard, don’t worry about these.

Now we have our package, we need to create a program (remember the diagram in the last blog?) The program is contained within the package.

The program is the .exe or .msi which is going to run.

Quickly skip over to appdeploy.com to find out the command line switches..

Even though we have specified to hide alerts, sometimes (and some .exe’s) don’t have the suppress alerts packaged with them. We can chose to make sure the program run’s hidden

Once it’s run if it needs a restart what action would you like to take?

Fill out any additional details. (size/what clients it can run on/maximum run time)

Now we can chose when we want this to run

We have many additional options (again I’m leaving these as default). We don’t need to run a program first before installing. But we could have a package which for example removes a certain application before installing this application.

If you have a licence key associated with the software you can enter it in here.

If for example SCOM is monitoring the server or workstation you can chose to ignore alerts/disable alerts from SCOM whilst this is running.

Click OK and Finish

We now have a program

Next step is to “send” this program to the distribution point

As we only have the one server we can only select MRSCCM02

Click OK then Finish.

If you now browse to that hidden file share I mentioned earlier:

You will see a new folder (we only have one package so far)

Within this folder we have the adobe reader .exe

We now need to advertise this to our clients. Right click > New > Advertisement

Click browse to select the package

Select the collection you wish to deploy (advertise) to

We can specify when we wish to advertise this

We can chose when we want to either schedule or just select to assign as soon as possible

Do w wish to allow system restarts outside of maintenance windows? What should the program re-run policy be?

If you are over a slow link (to remote office’s) you will want them to download from the distribution point, but in your head office you will want to “stream” the application (and by that I mean the client will simply run it from MRSCCM02 as oppose to downloading it locally).

Do we wish the user to interact at all?

We can leave the default security rights for now

Click OK and Finish

We now have our advertisement setup.

We can chose to re-run this advertisement or even disable the program (which will then try to remove it from clients)

Now we need to check to see how this deployment is getting on. Browse to System status

We can see the program has been installed on the distribution point successfully. (Note: the program hasn’t been installed, this just means the program is available and ready for installation to clients).

If we now click on advertisements, you will see the files haven’t actually be advertised out to clients yet (it can take sometime).

Once it starts to advertise to clients you can right click > view messages and here we can see the status

We can now see both XP machines have been received and the program has been started

Checking the logs again shows it’s now running using the command line switch we specified

Now if we hadn’t chosen to hide the notifications this is the alert the user would see:

The user can then chose if they wish to have the software installed

Now I actually got bored of waiting for adobe reader to install, so I quickly published VLC player as I knew this was a small and easy install.

As you can see, I set to advertise every 5 minutes and install each time (hence why we have 18 installations….)

Viewing the XP machine we can now see on the desktop

Finally if we check the start menu, there’s our newly advertised program

There we have it. I’ll admit it’s been a fairly long blog this one but when you think about it, it’s not actually that difficult. Just remember the package must contain a program (the “WHAT”). You then need to define the schedule of the advertisement, and which collection it is being advertised to (the “WHEN” and “WHO”).

%d bloggers like this: