system center 2012 r2 configuration manager with windows...
TRANSCRIPT
System Center 2012 R2Configuration Manager with Windows Intune
Jeff ChinClient Technologies Guy
The explosion of devices is eroding the standards-based approach to corporate IT.
Devices
Deploying and managing applications across platforms is difficult.
Apps
Today’s challenges
Data
Users need to be productive while maintaining compliance and reducing risk.
Users expect to be able to work in any location and have access to all their work resources.
Users
Devices AppsUsers
Empowering People-centric IT
Enable users
Allow users to work on the devices of their choice and provide consistent access to corporate resources.
Protect your data
Help protect corporate information and manage risk.Management. Access. Protection.
Data
Unify your environment
Deliver a unified application and device management on-premises and in the cloud.
Selecting the Management Platform
Unified Device Management – System Center 2012 R2 Configuration Manager with Windows
Intune
Cloud-based Management - Standalone
Windows Intune
No existing Configuration Manager deployment
Simplified policy control
Fewer than 7,000 devices and 4,000 users
Simple web-based administration console
System Center 2012 R2 Configuration Manager
Enable Users
Allow people to be more productive
from almost anywhere on almost any
device.
Simplify Administration
Improve IT effectiveness
and efficiency.
Unify Infrastructure
Reduce costs by unifying IT
management infrastructure.
Unified Device Management
Mac OS X
Windows PCs
(x86/64, Intel SoC),
Windows to Go
Windows Embedded
Windows RT,
Windows Phone 8
iOS, Android
Registering and Enrolling Devices
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificateis installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
What’s New in Mobile Device Inventory?
* Inventory capability varies by device platform
New global condition to
differentiate app installs on
corporate versus personal
App Management
Personal devices – Inventory only apps
installed by ConfigMgr/Intune
Corporate devices – Complete inventory of
all applications on the device*
App inventory
By default, user-enrolled devices
are “Personal”
Admin can specify corporate-
owned devices
“Compromised” device detection
Personal vs Corporate
Owned Devices
Resource Access Configuration
Support platforms
Windows 8.1
Windows 8.1 RT
iOS
Android
Benefits
End users get access to
company resources with no
manual steps for them
New Features*Configure networking profiles VPN profiles
Support for Windows 8.1 Automatic VPN
Wi-Fi protocol and authentication settings
Management and distribution of certificates
Configure remote connection to work PCs
VPN Profile Management
Support for major SSL VPN vendors
DNS name-based initiation
support for Windows 8.1 and iOS
Application ID based initiation
support for Windows 8.1
Automatic VPN
connectionSupport for VPN
standards like PPTP, L2TP,
IKEv2SSL VPNs from Cisco, Juniper,
Check Point, Microsoft, Dell
SonicWALL, F5
Subset of vendors have Windows
Windows RT VPN plug-in
Wi-Fi and Certificate Profiles
Wi-Fi settings Manage and distribute certificates
Deploy trusted root certificates
Support for Security Center Endpoint
Protection(SCEP) protocol
Manage Wi-Fi protocol and authentication settings
Provision Wi-Fi networks that device can auto connect
Specify certificate to be used for Wi-Fi connection
User-centric Application DeliveryEnd User Self-Service
IT
Administrators publish software
titles to catalog, complete with
meta data to enable search
• Deliver best user experience
on each device
Users can browse, select and install
directly from Catalog
• Application model determines
format and policies for delivery
User
Demo: Unified Device Management
(Mobile Devices, Client Experience, Intune, Application Model)
Unify Infrastructure
Reduced Infrastructure
Requirements
Endpoint Protection
Compliance and Settings
Management
Distribution Point for
Windows Azure
Software Update
Management
Content
ManagementUnify Infrastructure
Reduce costs by unifying
IT management
infrastructure.
Reduced Infrastructure Requirements
Central Administration Site
• Scale
• Support multiple primary
sites
• Future proofing your
hierarchy (SP1)
Primary Sites
• Client assignment (up to 100k)
• Reduce impact of a primary site
failing
• Political reasons
• Delegated administration
• Different client agent settings
• Language packs
• DMZ/Internet Facing
• Untrusted forests (new in R2)
Secondary Sites
• Content fan-out
• Manage upward
flow of WAN
traffic
• Content routing
• Throttling (now in
Distribution
Points)
Reaso
ns
Wh
yO
bso
lete
Reaso
ns
Distribution Points
• Distribute Content
• Branch Distribution
Points
“We spend almost [U.S.] $800 per server on annual maintenance activities. Configuration Manager scales to our
organization size and now we are able to reduce the number of servers from 110 to 35, thus saving on the
maintenance costs.” – Systems management administrator at a US based manufacturing company
Cross-platform Integration
Manage non-Windows desktops including Mac OS X
Manage non-Windows servers including Linux and
UNIX
Access business apps on non-Windows machines via
Citrix XenApp integration
* Cross-platform integration enhancements are
available with Configuration Manager Service Pack 1
(beta released in September 2012)
Consolidation and Cross-platform IntegrationConsolidation
Co-locating site system roles onto
single server.
Eliminating servers required for
client security.
Simplifying system architecture by
reducing number of sites.
600 hours or U.S. $30,000 saved each year due to reduced administration
overheadBusiness Value of Microsoft® System Center 2012 Configuration Manager
Security and ComplianceEndpoint Protection
Unified Infrastructure
Simplified server
and client deployment.
Streamlined updates.
Consolidated reporting.
Comprehensive
Protection Stack
Behavior monitoring.
Antimalware.
Dynamic Translation.
Windows Firewall Management.
Security and ComplianceSettings Management
ConfigMgr MP Baseline ConfigMgr Agent
WMI XML
Registry IISMSI
Script SQL
Software
UpdatesFile
Active
Directory
Baseline Configuration Items
Auto Remediate
OR
Create Alert (to Service Manager)!
Improved functionalityCopy settings
Trigger console alerts
Richer reporting
Enhanced versioning and audit trackingAbility to specify versions to be used in baselines
Audit tracking includes who changed what
Pre-built industry standard baseline templates
through IT Governance, Risk & Compliance(GRC) Solution
Accelerator
Assignment to
collections Baseline drift
CAS
Primary SiteMP Role
Primary SiteDP Role
Assigns policy to scan for
update status or to deploy
update
Distributes updatesReports
compliance
Microsoft Update
Primary SiteSUP Role/WSUS
Identifies who needs updates
and reports on complianceDownloads updates
Auto Deployment
Faster deployment through search.
Schedule content download and deployment to avoid
reboot during work hours.
State-based Updates
Allows individual or group deployment.
Updates added to groups auto deploy to targeted
collections .
Optimized for New Content Model
Reduce replication and storage.
Expired updates and content deleted.
Security and ComplianceSoftware Update
Distribution Point for Windows Azure
Rich feature set
PR1
MPMP
DP
Windows AzureDistribution Point
Microsoft Update
Policy
Content
Firewall
Corporate NetworkIntegrated monitoringIn-console content monitoring
Ability to monitor storage and traffic out
usage
Content is fully encrypted
Content Management in R2
monitoring
The sources for a pull DP can be randomized to achieve load balancing and flexibility.
Pull DP in-console monitoring on par with standard DP.
Enable pull distribution point to send state messages via MP.
Pull DP
improvements
Reduced the amount of interaction between remote DPs and the Distribution Manager.
Optimized content distribution by adding distribution point priority and keeping send requests in SQL.
New report: Distribution Point Usage – shows how much a particular DP gets used.
Infrastructure
improvements
Demo: Security and Settings Management
(Settings Management, Endpoint Protection, Software Updates)
Modern Management
Console
Role-based
Administration
Operating System
Deployment
Asset
Intelligence
Client
Health
Simplify Administration
Improve IT effectiveness
and efficiency.
Simplify Administration
Intuitive ribbon interface
In-console alerts
Global search capability
New collection membership rules allow better filtering of members
Windows PowerShell enablement
Modern Management Console
Unified Device Management Console
Mobile device management integrated directly in to console experience
Common tools for policy and application management
Unified reporting across device platforms
User collections enable user-centric setting and application deployment across device types
Role-based Administration
Functionality ConfigMgr 2007 ConfigMgr 2012
What types of objects can
I see and what can I do to
them?
Class rights Security roles
Which instances can I see
and interact with?
Object instance
permissionsSecurity scopes
Which resources can I
interact with?
Site specific resource
permissionsCollection limiting
Meg - WW Central System
Administrator
Louis - Software Update
Manager for France
Bob - US and France
Security Admin
• Can see & update “France” desktops
• Cannot modify security settings on “France” desktops
• Cannot see “All Systems” or “U.S.” desktops
• Can see and modify security settings on “France” and “U.S.” desktops
• Cannot update “France” or “U.S.” desktops
• Cannot see “All Systems”
Map the organizational roles of your administrators
to defined security roles
• Security organization role
• Geography
Reduces error, defines span of control for the organization
RBA enhancements in R2 include SQL Reporting
Operating System Deployment
Multiple Deployment Method Support
PXE initiated deployment allows client computers to
request deployment over the network
Multi-cast deployment to conserve
network bandwidth
Stand-alone media deployment for no network
connectivity or low bandwidth
Pre-staged media deployment allows you to deploy
an operating system to a computer that
is not fully provisioned
User State Migration Tool (USMT) 4.0 UI integration
makes it easier transfer files and user settings from one
machine to another
CAS
Primary Site
MP Role
Primary Site
DP Role
Image Task Sequence
Report
WDS PXE Server
Core Operating System Deployment Scenarios
Scenario Key Functionality
New computer• Fresh install of a new operating system on client or server system
• New or repurposed hardware
PXE boot• Integrate with Windows Deployment Services (WDS) PXE server
• Self-provisioning via F12
Wipe-and-load• Install new version of operating system
• Reinstall applications and user state under new operating system
Side-by-side • Similar to wipe-and-load, except between two different devices
Offline with
removable media
• With low bandwidth or no connectivity
• Large software packages are on the media
Prestaged Media• Optimized for network bandwidth
• Speeds up end to end deployment
Client Activity and Health
In-console view of client health
Threshold-based console alerts
Heartbeat DDRs
HW/SW inventory and status
Remediation
Asset Intelligence, Inventory, and Software Metering
Consolidated/simplified reporting that allows you to
Understand software installation profiles
Plan for hardware upgrades
Identify over or under licensing issues
Track custom apps or groups of titles
Software Metering and License Reports
Asset Intelligence Service
Asset Intelligence Catalog
Real-Time Application
and Hardware Intelligence
ConfigMgr Inventory
Demo: Consoles, Dashboards, and more Consoles/Dashboards(Role Based Admin, Client Health and Settings, Reporting, Deployment Dashboards)
SummaryEn
ab
led
Un
ify
Sim
pli
fy
Role-based Administration
Content Management
Software Update Management
Reduced Infrastructure Requirements
User-centric Application Delivery
Modern Device Management
Compliance and Settings Management
Endpoint Protection
Operating System Deployment
Asset Intelligence, Inventory and Software
Metering
2012
EAS
User-centric
Updated engine
Improved
RBA in Reporting
Windows 8.1 support
2012 R2
Improved
Web App deployment
New
Integrated
Auto remediation
Improved
New
Improved
Improved
2012 SP1
Unified
Win 8 Apps
Flexible hierarchies
Real-time actions
User profile and data
Improved
Improved
Improved
Modern Management Console Additional cmdletsNew Windows PowerShell
Client Health Improved Improved
Distribution Point for Windows Azure New
http://www.microsoft.com/workstyle
http://www.microsoft.com/server-cloud/user-device-management
More Resources:
System Center 2012 Configuration Manager
http://technet.microsoft.com/en-
us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33
Windows Intune
http://www.microsoft.com/en-us/windows/windowsintune/try-and-
buy
Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server
For More Information
Appendix
Full and Selective WipeCategory Windows 8.1 (x86/RT
OMA-DM managed)
Windows 8 RT Windows Phone iOS Android
Full Wipe Not applicable Not applicable
Selective Wipe
Email (Email through EAS) (Email through EAS)
Company apps
and associated
data installed by
using
Configuration
Manager and
Windows Intune
Uninstalled and sideloading
keys are removed.
In addition any apps using
Windows Selective Wipe will
have the encryption key
revoked and data will no
longer be accessible
Sideloading keys
removed but remain
installed
Uninstalled and data
removed
Uninstalled and data
removed
Apps and data remain
installed
VPN and Wi-Fi
profilesRemoved Not applicable Not applicable Removed
VPN: Not applicable
Wi-Fi: Not removed
Certificates Removed and revoked Not applicable Not applicable Removed and revoked Revoked
Settings Requirements removed Requirements removed Requirements removed Requirements removed Requirements removed
Management
Client
Not applicable. Management
agent is built-in
Not applicable.
Management agent is
built-in
Not applicable.
Management agent is
built-in
Management profile is
removed
Device Administrator
privilege is revoked
Windows Embedded Support
• Windows Thin PCRepurposed PC
Supported Write Filters
• File Based Write Filters (FBFW)
(preferred for scalability)
• Enhanced Write Filters (EWF) RAM
Ability to force persistence of changes for
• Applications
• Packages and programs
• Software updates
• Task sequences
• Endpoint Protection client installation
Eventual persistence of changes for
• Client agent settings
• Settings management remediation
• Power management
Without write filters enabled, embedded devices can be
managed like any other Windows client. When write filters
are enabled, they require special handling, now provided
seamlessly.
• Windows XP Embedded• Windows Embedded Standard 2009• Windows Embedded Standard 7• Windows Embedded Standard 8
Thin Clients
Same as Thin Clients, plus
• POS Ready 2009
• POS Ready 8POS/Kiosk
• Windows Embedded Standard 2009
• Windows Embedded Standard 7
• Windows Embedded Standard 8
Digital
Signage
Linux and UNIX Servers
• Version 4 (x86/x64)
• Version 5 (x86/x64)
• Version 6 (x86/x64)
Red Hat Enterprise
Linux
• Version 9 (SPARC)
• Version 10 (SPARC/x86)Solaris
• Version 9 (x86)
• Version 10 SP1 (x86/x64)
• Version 11 (x86/x64)
SUSE Linux Enterprise
Server
Supported Operating System’s across both:
• Configuration Manager
• Operations Manager
Earlier versions supported as long as vendor provides support
Broader Linux distro support being evaluated
for future releases
Hardware and Software Inventory
Software Deployment
• Using the Package and Program model
• Deploy/patch software, deploy OS patches and run
maintenance scripts that target a collection
Consolidated reports
• CentOS 5, 6
• Debian 5, 6
• Ubuntu 10.4 LTS, 12.4 LTS
• Oracle Linux 5, 6
Recently Added
Mac OS X
Configuration Manager native client
Key management capabilities
Improved enrollment in R2