Understanding System Center 2012 Configuration Manager
Manage nearly every aspect of client computer configuration
April 19, 2013
System Center Configuration Manager 2012 SP1 is Microsoft’s solution for managing the configuration of client computers and devices, from computers running Windows XP through Windows 8 to systems running Mac OS X, Windows Phone, iOS, and Google Android. You can use Configuration Manager to perform tasks including software deployment, software update deployment, anti-malware client management, OS deployment, and hardware and software inventory. In this article, you’ll learn about some of the core Configuration Manager concepts and gain a greater understanding of the product’s functionality.
Configuration Manager Client
Configuration Manager performs most operations through special client software installed on each device. You install the Configuration Manager client either directly from the Configuration Manager console, manually using a traditional installer, or bake it into an OS image. The Configuration Manager client performs tasks such as retrieving policies from Configuration Manager and performing software and hardware inventory, software installation, software updates, and software metering.
Figure 1 shows the Actions tab of the Configuration Manager Properties dialog box. When you run the Machine Policy Retrieval & Evaluation Cycle, the client will retrieve updated policies from Configuration Manager. You’ll find this useful when you want to test that a change you have made, such as configuring a new software deployment, works as expected and when you don’t want to wait for the policy cycle to execute normally. You access this client through the control panel.
Figure 1: The Configuration Manager Client
Operating System Deployment
Configuration Manager integrates with Windows Deployment Services to allow you to perform OS deployment and image capture. You automate these processes by configuring task sequences. For example, you can configure task sequences to automate the deployment of a reference image, populate that image with applications and updates, and then perform an image capture of the deployed reference computer. The advantage of using this method, rather than a manual build and capture, is that once you’ve built the automation to build an image, you only need to tweak that automation to build the next image. When you automate the build and capture process in this manner, you make it more accurate and repeatable. Repeatability is important in building OS images that include applications. If you’ve ever been involved in manually building complex images, you’ll have experienced that sinking feeling when you discover that there’s a single simple application that you’ve forgotten to include in the current build that you remembered to include in all the previous ones.
Configuration Manager also supports the automation of offline image maintenance, so you can keep images up to date with the latest patches, hotfixes, and service packs without having to perform full deployment and capture operations. Being able to update your offline images saves you an immense amount of time and of course reduces—even eliminates—the software updates that need to be installed between the computer being deployed and the computer being put into service.
Software Deployment
Most organizations use Configuration Manager primarily as a software deployment solution. Configuration Manager 2012 supports software deployment using Packages and Programs, which lets you use packages and programs from Configuration Manager 2007 with Configuration Manager 2012. Configuration Manager applications are a new way of performing software deployment operations that give you substantially more options than the traditional Packages and Programs method. You can use Configuration Manager to deploy software in the formats that Figure 2 shows.
Figure 2: Software Formats
One of the primary benefits of using Configuration Manager applications for software deployment is that they support multiple deployment types. A deployment type lets you deploy an application in a different way, depending on the properties of the computer to which you're deploying the application. For example, you could configure an application so that it’s installed as an .msi file on a computer that has one set of properties (e.g., a particular CPU or amount of RAM) and as an .appx file on a computer that has another set of properties.
Configuration Manager 2012 also allows a user’s primary device to be set, so you can use that as a condition when configuring a deployment type. For example, you might use this setting to deploy an application sequenced using Microsoft Application Virtualization (App-V) if you need to deploy an application to a user who isn’t signed on to a computer designated as his or her primary device, and deploy the application as an .msi if the user is signed on to a computer designated as the primary device.
Configuration Manager software deployment also supports the following additional features:
Application Catalog—This self-service portal allows users to request software that they can either install automatically or install subject to approval. Deploying this feature lets users request software themselves without having to lodge a Help desk ticket.
Application dependencies—When properly configured, dependencies allow other Configuration Manager applications to be deployed to support the application (e.g., having Configuration Manager automatically deploy the App-V client to a computer before deploying a virtualized application).
Application Supersedence—This feature, which Figure 3 shows, lets you configure existing deployment types so that they’re replaced. You can use this to upgrade from one version of an application to another automatically, or to replace one application with another automatically.
Figure 3: Supersedence
Software Updates
Configuration Manager builds on Windows Server Update Services (WSUS). You need to have a WSUS server present in your environment, though once you introduce Configuration Manager, you stop managing WSUS directly and allow Configuration Manager to take over. Configuration Manager 2012 provides you with more options than WSUS, allowing the deployment of updates for Microsoft products as well as allowing the deployment and management of software updates for certain third-party products.
Configuration Manager 2012 provides sophisticated options for the automatic deployment of updates. You can also use Configuration Manager 2012 to perform offline updates to OS deployment images. Configuration Manager 2012 includes a number of sophisticated reports, which provide software update administrators a more accurate picture of how successful software update deployment has been in comparison with WSUS.
Inventory and Metering
Configuration Manager lets you perform software and hardware inventory, as well as perform software metering. Software and hardware inventory are straightforward. The Configuration Manager client does an audit of all the hardware and software on the device and reports that information back to Configuration Manager. You can use the information generated by this inventory to create Configuration Manager queries, upon which you can base device collections.
Software metering lets you track how often particular applications are used. For example, metering allows you to determine how often a particular CAD program is run. With Configuration Manager, you can enable the automatic creation of metering rules in a disabled state for any application that's used on a specified percentage of computers in the organization. You can then enable these metering rules to track utilization of a specific application. Metering can be very useful in determining how the IT department responds to a particular application. In one case I know of, an organization was holding off its migration from Windows XP to Windows 7 because it was waiting on a compatibility solution for three applications that were included in the base image. When metering was turned on, it was found that these three applications were used by fewer than 10 people in an organization numbering thousands. Having an understanding of the number of users involved with the applications that were holding up the move to Windows 7 allowed the organization to revise its migration plans.
Compliance
Compliance lets you set a configuration baseline—be it a registry setting, the existence of a file or folder, or a particular version of an application—against which you can measure computers in your organization. You use the compliance functionality of Configuration Manager to determine whether the configuration of those computers meets or falls below your organizational needs. You can use compliance to ensure that computers in your organization meet legislative or security requirements. In Configuration Manager 2012, you can use the compliance functionality to remediate certain types of discrepancy, such as altering registry settings.
Endpoint Protection
System Center Endpoint Protection is an evolution of Microsoft’s Forefront Endpoint Protection anti-malware product. Rather than having the anti-malware aspect of client health managed through a computer running the Forefront console and other parts of client health (e.g., adherence to a configuration baseline) monitored in a separate console, the integration of Endpoint Protection lets you monitor all aspects of client health through Configuration Manager. As the information from the Endpoint Protection client is stored in the Configuration Manager database, it can also be used as the foundation for query-based Configuration Manager device collections. In SP1, Endpoint Protection is also provided for OSX clients and Linux file servers.
Windows Intune Integration
With the release of System Center 2012 SP1, you can integrate an on-premises Configuration Manager deployment with a Windows Intune subscription. Rather than set up Configuration Manager on the perimeter network so that clients on the Internet are able to contact the servers directly, integrating Windows Intune with Configuration Manager allows Windows Intune to take on the role of managing devices outside the perimeter network. When you integrate Configuration Manager with Windows Intune, you can use the Configuration Manager console to manage non–domain-joined devices, including mobile devices, that are connected to networks both inside and outside the perimeter network.
User and Device Collections
You perform actions in Configuration Manager, such as software deployment, against collections. Configuration Manager supports user collections, made up of user accounts and groups, and device collections, made up of computers and other devices. You can create collections manually, or you can configure collections to be generated dynamically—for example, a device collection that includes only computers that have Microsoft Office 2010 SP1 installed, or users who report to a specific manager.
All-In-One
Configuration Manager 2012 SP1 lets you manage almost all aspects of client computer configuration. Not only does it provide a platform for the deployment and management of applications, but you can also use it as an anti-malware, software update, and configuration monitoring solution.
About the Author
You May Also Like