mdop 2010: asset inventory service speaker fabrizio grossi [email protected]
TRANSCRIPT
AIS Features and Characteristics
Delivered through online serviceSmall unobtrusive clientAutomatically collects Software inventoryMicrosoft software and volume license reconciliation reportsExport reports data to XLS, XML, and PDFIdeal for branch offices and roaming users
Benefits of AIS
Effectively manages your software asset inventory to ensure compliance and optimize IT budgets Identifies applications and installations that are contrary to your corporate policiesProduces browser-based reports that help you forecast future needsEnhances application standardization within your IT infrastructure Analyzes how Microsoft volume license agreements are deployed
Supported browsers (for online service management)
AIS Client minimum hardware requirements
AIS Requirements
• 133 MHz or higher Pentium-compatible CPU• 64 MB memory
• Internet Explorer 6.0 • Internet Explorer 7.0
Additional support notes:• Supports multiple languages• Small size ~1.5MB• Non-memory resident when not in use• Monitors state to support self healing• Supports 32-bit and 64-bit platforms• Windows Server 2008
AIS Usage Flow (after purchasing SA + MDOP)
Sign-in: Sign in through passport
Download agent: MSI package
Deploy agent: Client machines send
inventoryto Web service
View reports:Sign in for reportssoftware assets
Registration: Activate the service from MVLS
website
How AIS Collects Inventory
Catalog Data Inventory Data
Report Web Service
Transformation Service
Information Web ServiceResearcher
Service
ClientProtocol(HTTPS)
.xml
Inventory Analyzer
Inventory Collector
MSI ARPStartMenu
Sample XML Output
<StaticProperty Type="Msi" ProductName="IT Connection Manager" CompanyName="Microsoft" ProductVersion="5.2.13" InstallDate="10/18/2006 00:00:00" Path="C:\Program Files\IT Connection Manager" FileName="SRUserService.exe" Language="1033" ProductId="{97D00967-D118-442D-9DC9-818A92BA2DDF}" PackageId="{545FC4F8-DBB9-486B-BEF4-FA0A5CCE783D}" GUID="{97D00967-D118-442D-9DC9-818A92BA2DDF}" RNP="0" DNP="0" UniqueId="11" />
<StaticProperty Type="AddRemoveProgram" DisplayName="IT Connection Manager"
CompanyName="Microsoft" ProductVersion="5.2" Path="C:\Windows\System32" RegistrySubKey="{97D00967-D118-442D-9DC9-818A92BA2DDF}" RegistryPath="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{97D00967-D118-442D-9DC9-818A92BA2DDF}" UninstallString="MsiExec.exe /X{97D00967-D118-442D-9DC9-818A92BA2DDF}" GUID="{97D00967-D118-442D-9DC9-818A92BA2DDF}" RNP="1" DNP="1" UniqueId="284" />
<StaticProperty Type="File" Name="SRUserService.exe" Path="C:\Program Files\IT
Connection Manager" Size="0x38b10" PeChecksum="0x3b3f2" Checksum="0xb2d1719e" LegalCopyright="Copyright© Microsoft Corporation. All rights reserved." OriginalFilename="CSRUserService.exe" InternalName="CSRUserService" ProductName="Secure Remote User" CompanyName="Microsoft Corporation" ProductVersion="5.3.0.4" FileVersion="5.3.0.4" BinProductVersion="5.3.0.4" BinFileVersion="5.3.0.4" VerLanguage="English (United States) [0x0409]" FileDescription="Secure Remote User Application" LinkDate="10/27/2006 22:50:57" Created="02/28/2006 21:00:14" Modified="11/01/2006 20:47:24" BinaryType="32BIT" RNP="4" DNP="5" UniqueId="12" LowerCaseLongPath="c:\program files\it connection manager\sruserservice.exe" />
MSI
ARP
Start Menu
AIS Catalog
Customer benefitsAggregation – Minor variants of the same software are aggregated based on version numberCategorization – By type of softwareAccuracy – E.g., rationalizing conflicting names for the same publisher across different software titles
Categorization progressOver 150,000 signatures categorizedResearchers categorization done continuously, prioritized by software popularity
Categorization Examples
Provides Reason/Example
Publisher name 72 “varieties” of Microsoft Corporation all show up as a single publisher (Microsoft Corporation)
Title name Repackaging can alter title, catalog can fix this
Version name Adobe Acrobat “7.0”
Category “Productivity & Viewers”/“Browsers”
Agent Deployment
Manual Deploy (download from Internet + Install)MSI package for easy deployment (e.g., via GP, WSUS)Deploying the AIS Client Using SMS/SCCMGP admin template for agent settings
Group membershipAdditional non-authenticating proxies
Automatically self-update from MUSecure enrollment
Company-specific certificate in MSI packageEnrollment operation obtains client cert from company certCompany-specific cert removed from client after enrollment
Default installation path for the client is:
• C:\Program Files\Microsoft System Center Online Client\folder
Diagnostic and troubleshooting information is found in:
• C:\Windows\sconlineclient.log• C:\Program Files\Microsoft System Center Online Client\Diagnostic Tools\
• Task Scheduler automatically schedules the client to run every 30 days
• Inventory data is gathered from WMI, MSI information, Start menu, and ARP
AIS Deployment Details
AIS Computer Groups
There are two ways to assign a computer to an AIS group:
• AIS can create logical computer groups
• Using Group Policy with sconline.adm
• Adding the following registry key: HKLM\SOFTWARE\Policies\Microsoft\SCOnline\ClientGroup
AIS Deployment DetailsAs part of the agent install:
• The customer certificate is stored on the system.• Installation runs the agent directly after installation has
successfully finished.
The registration component detects that the machine is not registered with the service.The registration component accesses the customer certificate.The registration component connects to the service and makes a registration request, providing a set of identifying properties.The registration component stores a unique identifier representing that system, to use in subsequent communications (Agent ID).
AIS Deployment Details
If Agent fails to register: Task Scheduler periodically invokes the agent and attempts to register. If Agent renews registration: Agent determines that the registration will expire soon, and renews the registration with the service. Agent attempts to re-register when: Agent determines that the underlying hardware has changed or certificate has expired, and initiates a new registration request. If an Agent tries to register when all seats in the account are already taken:
- The service will refuse the agent.- The customer will be notified in the Admin UI that the
limit has been reached.
Agent Operation
Implemented as tasks in Windows schedulerNo resources consumed when not running
AIS 1.5 agent tasksRun-once task for initial enrollmentDaily check for “inventory now” message
Can be run at most once/week from the serviceMay add other service-initiated policies in a future version
Monthly automatic inventory uploadScheduled to run on day of install (or 28th if install on 29th-31st)Reschedules itself to 28 days later after successful scheduled runRetries failed uploads within 20 minutes with incremental back-offRetries missed tasks within an hour of boot
Performance
Can typically get inventory within a weekService typically available for login within 1 day of activation on MVLS portalAgent deployment time depends on the tool. E.g., WSUS within a day or two, GP-SI within a couple of weeks (next reboot)Client inventory data available in reports typically within one hour of agent install
Negligible Impact on end-user machinesNo overhead when agent isn’t runningTypical inventory collection time is about a minuteTypical inventory upload size is under 50 kbytes
UI support up to 20,000 clients per accountUI responsiveness deteriorates after thatRecommend using multiple accounts to manage more clientsWe will increase this limit in a future version of AIS
Verifying Client Deployment
• Client should report within 15 minutes• If client has not reported within one hour, verify it has
installed properly
Protecting Your Data
Your inventory data remains confidential
Public privacy statement verified by leading privacy firm Jefferson Wells
Privacy
Redundant systems
Backup
Hosted by MS.COM
Availability
Datacenter with restricted physical access
Multi-tenant service with account specific certificate in MSI ensures only your clients upload data to your partition
SSL provides server authentication and secure data upload
Live ID login provides authorized access to data
Security
Inventory
Inventory:Windows Management Interface (WMI) is used for limited operating systems and system inventory.Application Compatibility Toolkit library is used for software inventory.
Integration with Microsoft licensing service Break-down by license channel
Detailed License Statement ReportManage License agreements by groups
Licence Reconciliation Overview
Managing Computers Reporting to AIS
AIS Computer Management TasksViewing Computers by Various PropertiesRetiring a ComputerRunning Computer Reports
AIS Computer Management Tasks
• Provides information about software installed on a computer
Report on computer
• Disable the computer from reporting to the AIS service
Retire computers
Feature Description
View computers• View computers in
the enterprise
Search for computers
• Search for a specific computer using any criteria in the details section
Computers can be sorted by several properties:
Viewing Computers by Various Properties
• Machine name• Last user log on• Group (if defined)
• Last reported date• Date discovered• Client version
Retiring a Computer
• Computer stops reporting to AIS
• AIS client must be re-installed to again enable reporting
• Deactivates reporting by disabling the scheduled task
Report Details:
Types of reports:
Running Computer Reports
• Operating system information
• Service packs• Base system details (RAM,
hard disk, manufacturer)
• Program Name• Publisher• Version• Category• Language
Managing Software Inventory Options
• View software installed on all clients
• Update software inventory• Search for specific software
Software can be sorted by several property types
Viewing Software by Various Properties
• Name• Version• Publisher• Installations• Category
Forcing a Software Inventory Update
• Launches from the home page
• Forces clients to report back to the AIS Web service within 24 hours
• Can only be executed once every 7 days
What Is the Software Application Catalog?
Identity (what you see in reports):
Component Definition
Identity The formal definition of an application, e.g. “Microsoft Word”
Signature The actual definition of an application, e.g. “Microsoft Word”
Annotation Related information, e.g. “www.microsoft.com”
Categorization Grouping information, e.g. Family/Category
Provides Reason/Example
Publisher name 10 varieties on Company Name
Title name Repackaging can alter title
Version name Version 9.2.1000.4 becomes 9.2 or 9.x
Family/Category “Productivity and Viewers” / “Browsers”
Reports can do thefollowing:
Running Software Reports
• Provide information about installed software
• Provide information on all software
• Provide information on software for a given period of time
Reports can:
• Be filtered• Be exported into
multiple formats
Generating Program Reports
In Program Report, enter reporting constraints:
• Publisher• Asset group• Categories• End date
What are Change Reports?
Change reports are a summary of your inventoried programs, and any application installations that occurred between two specified dates
© 2009 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
http://blogs.technet.com/italy