Appendix
The Bottom Line Answers

Each “Bottom Line” section in the chapters suggests exercises to deepen skills and understanding. Sometimes there is only one possible solution, but often you are encouraged to use your skills to create something that builds on what you know and lets you explore one of many possible solutions.

Chapter 2: Planning a Configuration Manager Infrastructure

Plan and design a Central Administration Site. One of the first questions you will ask yourself while starting to design and plan a new Configuration Manager hierarchy is “Do I need a Central Administration Site?” The answer to this question is essential for your final design.

Master It Determine when a CAS is needed.

Solution When there is a need for more than one primary site in your Configuration Manager infrastructure, you also need a CAS. If not, you can extend a primary site into a CAS only once.

Plan and design an effective Configuration Manager infrastructure. When planning and designing a new Configuration Manager infrastructure, it is important to plan your site placement appropriately. The design rules for primary sites have changed from how they were in Configuration Manager 2007.

Master It Understand the reasons for not needing an additional primary site implementation.

Solution You don’t need to implement an additional primary site for the following reasons:

  • Decentralized administration
  • Logical data segmentation
  • Discrete client settings
  • Languages
  • Content routing for deep hierarchies

Identify the enhancements to the distribution point site system role. Distribution points in older versions were used to provide local points for accessing content and later also for App-V streaming. In Configuration Manager distribution points do a lot more.

Master It Distribution points have been enhanced. What roles and components are merged with the new distribution point, and what’s new?

Solution Tricky question; not only are the PXE-enabled distribution points and the multicast-enabled distribution points merged with the new distribution point, but also the old branch distribution point and the distribution share are merged. The distribution point can be installed on Windows versions for servers and computers. Some new features of the distribution point are

  • Bandwidth control
  • Scheduling and throttling data synchronization
  • Ability to specify drives for content
  • Content validation on the distribution point
  • Support for content prestaging

Prepare your current Configuration Manager 2007 environment for migration to Configuration Manager. An in-place upgrade of Configuration Manager 2007 to Configuration Manager is not supported. Configuration Manager has a migration feature within the feature set to enable side-by-side migration.

Master It How can you as a Configuration Manager administrator or consultant prepare a current Configuration Manager 2007 environment for migration to Configuration Manager?

Solution Steps you can take to prepare for the migration to Configuration Manager include the following:

  • Flatten your hierarchy where possible.
  • Plan for Windows Server OS Upgrade and SQL Server Upgrade.
  • Use the UNC path in your packages instead of local paths.

Chapter 3: Migrating to Configuration Manager

Determine what you are able to migrate with the migration feature. The migration feature in Configuration Manager allows you to migrate the old Configuration Manager investments to a new Configuration Manager hierarchy side by side.

Master It With the migration feature, you cannot migrate objects like the following:

  • Queries
  • Security rights for the site and objects
  • Configuration Manager reports from SQL Server Reporting Services
  • Configuration Manager 2007 web reports
  • Client inventory and history data
  • AMT client-provisioning information
  • Files in the client cache

Identify what objects you can migrate.

Solution You are able to migrate to a new Configuration Manager environment nearly every investment you made in earlier versions. The following list includes all the objects that can be migrated:

  • Collections
  • Advertisements and deployments
  • Boundaries
  • Boundary groups
  • Global conditions
  • Software distribution packages
  • Applications
  • Virtual application packages
  • App-V virtual environments
  • Software updates
    • Deployments
    • Deployment packages
    • Deployment templates
    • Software update lists
    • Software update groups
    • Automatic deployment rules
  • Operating system deployment
    • Boot images
    • Driver packages
    • Drivers
    • Images
    • Installer
    • Task sequences
  • Settings management
    • Configuration baselines
    • Configuration items
  • Asset intelligence
    • Catalog
    • Hardware requirements
    • User-defined categorization list
  • Software metering rules
  • Saved searches

Discover which migration approach is supported. Configuration Manager provides migration features that can be used for your migration of Configuration Manager 2007 to the current version.

Master It With the earlier upgrades or migrations of Configuration Manager in your mind, what migration approaches are supported when migrating from previous versions of Configuration Manager?

Solution Configuration Manager officially supports only one migration approach, the side-by-side migration approach, when using the migration feature. The wipe-and-load approach is used only if you do not need to migrate anything from your old Configuration Manager environment.

Ascertain what kind of interoperability is supported during the migration. Interoperability like that supported in earlier versions is no longer supported; nevertheless, the migration feature of Configuration Manager supports some interoperability during the migration process. Depending on the size of your Configuration Manager source hierarchy, the migration can take some time.

Master It Interoperability like you were used to in SMS 2003 and Configuration Manager 2007 is no longer supported. Give two examples of interoperability features in the current version of Configuration Manager.

Solution For interoperability purposes you are able to use shared distribution points in the process of migrating objects from a source hierarchy to the new one. Another interoperability feature is the ability to re-migrate update objects. In other words, you can re-migrate objects that have been updated in the source Configuration Manager hierarchy while migrating other objects.

Chapter 4: Installation and Site Role Configuration

Understand Configuration Manager sites and the new approach to hierarchy design. Configuration Manager has three types of sites: the central administration site, which is new, and the primary and secondary sites, which should be familiar to you. Although two of the three site types are familiar, their use and approach to hierarchy design—or whether a hierarchy is needed at all—are quite different now.

Master It Describe the purpose of each site type and map each to specific management needs.

Solution

  • Central Administration Site: Only present if a hierarchy is being configured. Provides centralized administration for the hierarchy but no direct client management.
  • Primary site: Clients are assigned to primary sites, and this is where they receive management instruction, regardless of where in the hierarchy the client might be located.
  • Secondary site: This type of site is of use only in situations where bandwidth conditions are so slow or unstable as to require a site server to throttle even small traffic, such as discovery and inventory information.

Construct a Configuration Manager hierarchy. The site hierarchy in Configuration Manager consists of the site types just described. The approach to design is very different from the previous version, with the number of primary sites being limited to a single tier. The chapter walked through configuring a hierarchy with all three site types.

Master It Describe a Configuration Manager site hierarchy. Detail components needed for site-to-site communication and security settings.

Solution

  • Hierarchies always consist of a CAS and at least one primary child site. Additional primary child sites might be in place as well. Secondary sites should rarely be used but may be added if needed.
  • Site-to-site communication requires site servers to have proper addresses and senders to be configured and correct credentials to be assigned where applicable.
  • Configuration Manager installations create several local security groups that are used to grant access to site resources and facilitate site-to-site communication.

Determine when to expand a hierarchy and when to simply add a site system role for additional service. A major design goal of Configuration Manager is simplified hierarchy design. Administrators familiar with previous versions may be tempted to retain old hierarchy approaches when designing Configuration Manager. Taking such an approach will often lead to inefficient designs and additional server cost and in some cases simply won’t work.

Master It Understand the changes in sites and site components that lend themselves to hierarchy simplification and enable parity management with fewer site servers.

Solution

  • Distribution point modifications include the ability to throttle content directly to remote distribution points. In addition, it is now possible to install distribution points on workstation systems directly where needed.
  • Boundary groups simplify hierarchy configurations by allowing administrators to strictly define which distribution points are used to service specific client content requests.
  • The updated security model in Configuration Manager allows administrators to scale out a single site while still maintaining logical separation of user role and function. There is no longer a technical need to have separate primary sites for servers and workstations. When managed properly, a single primary site is able to manage both seamlessly while protecting resources from access by unauthorized users.

Deploy and configure the various site system roles available per site. There are many roles available to enable management at a site. Understanding each role and the service it delivers is critical to getting the most out of your investment in Configuration Manager.

Master It Review critical system roles and understand the services that are enabled through each.

Solution

  • Critical site system roles are those that are required for basic Configuration Manager functionality at most sites. These include the management point and distribution point roles.
  • Management points facilitate client-to-site server communication.
  • Distribution points store content that may be needed by clients of the site.

Chapter 5: Client Installation

Configure boundaries and boundary groups. Before starting any client installation, verify that you have configured a boundary group for site assignment.

Master It Let Configuration Manager Forest Discovery automatically create the boundaries and add them to the correct boundary groups.

Solution Once you have configured Forest Discovery, add the automatically created IP subnets to a new or existing discovery group.

Select the relevant discovery methods. You configure discovery methods in the Configuration Manager console. The Active Directory discovery methods all require a schedule and an LDAP path. There are schedules for delta and full discovery. In Configuration Manager, delta discovery will also find changes to existing objects; this eliminates the need to run a full discovery more than once a week.

Master It Always know what you want to discover and where. Based on that knowledge, configure the needed discovery methods.

Solution The correct discovery method depends on how you want to deploy clients and work with features like application deployment. For a client push installation to work, it is a good idea to configure Active Directory Computer Discovery. On the other hand, if you want to deploy applications to end users, you also need to configure Active Directory User Discovery.

Employ the correct client installation methods. When configuring the client installation methods, make sure you know the pros and cons for each method. Some require firewall settings; others require local administrative permissions. You need to make sure that all the required settings are in place. Do not start any installation until you have the needed site systems, boundary groups, and command lines specified.

Master It Configure the correct command-line properties and ensure they will work for all environments (local forest, workgroup, and DMZ). Create multiple client push installation accounts, and ensure that you have a good understanding of the three phases (preinstallation, installation, and post-installation).

Solution Configure the command-line properties in the properties for the client push installation method. That way, you ensure that the properties are always replicated to Active Directory and can be read during the client installation.

Furthermore, you should add the command-line properties that will also work in another forest and workgroup in the client push properties.

Manage Unix/Linux and Mac devices. Configuration Manager provides support for managing Unix/Linux and Mac computers as devices. You are now able to manage your entire computer infrastructure from a single management console.

Master It Understand the installation methods available for deploying the Configuration Manager client to the Unix/Linux computers and Mac computers. Remember that client push cannot be used for these devices.

Solution The client installation process for Unix/Linux devices has several required parameters, such as the site code, the management point, and the installation package to use. Use the optional parameters to define other client configuration features, such as the fallback status point to use or the folder that will be used for the client installation.

Ensure client health. Client status might not be the first task you think about when implementing a system like Configuration Manager. But it is crucial to the daily administration that you can trust the numbers you see in the reports and in the console. One way to ensure that is by making certain that all clients are healthy and are providing the server with up-to-date status messages and discovery information.

Master It Discuss the different environments that exist in your organization, and use that information when configuring client health alerts. Make sure that you know the client activity during a normal period and that you have a set of defined SLAs for each of the environments (laptops, road warriors, servers, call center, and so forth).

Solution Create unique collections corresponding to each computer role type that you have. In the properties for every collection, configure the unique client status values.

Chapter 6: Client Health

Detail client health evaluations in Configuration Manager Current Branch. Health evaluations and remediations take place daily on every Configuration Manager client in the hierarchy. This information is updated at the site and is available for review on every client and also summarized for every client across the hierarchy.

Master It List the health evaluations and remediations that take place on Configuration Manager clients.

Solution

  • Review the CCMEval.log file to see all evaluations and remediations that are taking place on clients.
  • Review the CCMEval.xml file to understand the details behind each evaluation.

Review client health results in the Configuration Manager console. Client health data is available in several locations of the console to allow access to health for individual devices and summarized data for all clients in the hierarchy.

Master It List the locations in the console where individual client health and summarized client health data are accessible.

Solution

  • Individual client health data is available by viewing devices individually in collections.
  • Summarized client health data is available in the Monitoring workspace of the Configuration Manager console by choosing the Client Status node and then the Client Activity and Client Check nodes.
  • Configuration Manager reports also offer a view into client health data.

Chapter 7: Application Deployment

Explain the options available for Application Deployment. The new Application Deployment model is a significant and welcome change for deploying software in the enterprise. There are many new components including a rules-based Requirements engine, the ability to detect whether the application is already installed, the option to configure application dependencies and relationships, and more.

Master It List several configuration options available for applications and deployment types.

Solution

  • Applications: The ability to publish in the Application Catalog, define supersedence, and reference information.
  • Deployment types: The ability to set dependency information, specify criteria defining whether an application is already installed, configure requirements, and set return codes.

Detail the various components required for Application Deployment. Success with Application Deployment requires that several other Configuration Manager components be available and properly configured. The list includes management point(s), distribution point(s), IIS, BITS, the client itself, and possibly more.

Master It List the components required for configuring an application deployment.

Solution The application and at least one deployment type and deployment content must be staged on at least one available distribution point. Clients must receive the deployment and pass any configured requirements, allowing the deployment to be initiated.

Understand the role of and manage distribution points. The role of distribution points has not changed significantly in that this is the role that makes content available to Configuration Manager devices and users. The options available for implementing the role have changed significantly with the inclusion of throttling control content flow from site server to remote distribution points, the single-instance storage approach for placing content on distribution points, the ability to detect content corruption, and the requirement that all distribution points be BITS enabled.

Master It Discuss the differences between implementing a distribution point role on the site server locally and remotely.

Solution

  • Local distribution point: Content is transferred by local file copy; there is no ability to throttle a local distribution point.
  • Remote distribution point: Content is transferred by network file copy without compression. The ability to throttle content is available, but content is not compressed.

Chapter 8: Software Updates

Plan to use Software Updates. You can use the same method of deployment intelligence that was used in Chapter 2 to gather information for planning to implement Software Updates. This will be very helpful in making sure that you get the most out of the Software Updates feature for your organization.

Master It What is the first step in gathering deployment intelligence when you are planning to implement Software Updates?

Solution The first step is to determine what needs to be accomplished with Software Updates.

Configure Software Updates. Before you can use Software Updates in your environment, you must set up and configure the various components of this feature.

Master It What is the first thing you have to install before you can use Software Updates?

Solution You must install Windows Server Update Services (WSUS). You can use either the full install or the WSUS administrative console, depending on what you are setting up.

Use the Software Updates feature to manage software updates. The hardest thing to do in SMS 2003 relating to patch management was to programmatically prioritize software updates that are critical so they can be deployed with a higher priority than other updates.

Master It What does Configuration Manager provide that can help with prioritizing software updates?

Solution Configuration Manager now includes the severity of all the updates that are synchronized into the Configuration Manager database. With that data, you can sort updates by that category and create search criteria and update groups based on their severity level. You can then use them as a source for your software update components.

Use automatic update deployment to deploy software updates. When you deployed software in Configuration Manager 2007, you deployed software updates through a procedure that consumed a lot of time.

Master It Configuration Manager Current Branch has a new feature called Automatic Deployment Rules. What kinds of updates are suitable to deploy via the automatic deployment rules?

Solution Patch Tuesday software updates and definition files for Forefront Endpoint Protection can be deployed via the automatic deployment rules. Be sure to always test the updates to see if they have any impact on your environment.

Chapter 9: Operating System Deployment

Specify a Network Access account. The Network Access account is the account Configuration Manager will use to access the system while running WinPE.

Master It How do you specify the Network Access account?

Solution Open the Configuration Manager Console, and do the following:

  1. Choose the Administration workspace and expand Overview ➢ Site Configuration ➢ Sites.
  2. Select one of the sites for which you want to configure the Network Access account, and click Configure Site Components on the Home tab of the ribbon.
  3. Select Software Distribution.
  4. Select the Network Access Account tab, set the Network Access account to the account created earlier, and click OK.

Enable PXE support. PXE support in Configuration Manager is used to begin the operating system deployment process. The PXE feature responds to Configuration Manager clients making PXE boot requests.

Master It How do you set up PXE support?

Solution Open the Configuration Manager console, and do the following:

  1. Choose the Administration workspace and expand Overview ➢ Distribution Points.
  2. Select the site server on which the distribution point resides, and click Properties on the Site Role area of the ribbon.
  3. Select the PXE tab and click Enable PXE Service Point.

Update the driver catalog package. The driver catalog allows you to add drivers to the already created packages and images you have within your organization so you are not constantly re-creating your images when you get a new machine in your environment.

Master It How do you update the driver catalog package?

Solution From within the Configuration Manager console, do the following:

  1. Choose the Software Library workspace, expand Overview ➢ Operating Systems, and select Drivers.
  2. Click Import Driver on the Home tab of the ribbon of the Configuration Manager console.
  3. Browse to the network location of the drivers you want to import.
  4. Specify which package and boot images you want to import the specific drivers into.

Update an image from the console. In the past it was a big issue to keep your images up to date; no easy procedure existed. Configuration Manager now includes a feature called Schedule Updates that updates your Windows images.

Master It How do you easily update your Windows images?

Solution From within the Configuration Manager console, do the following:

  1. Choose the Software Library workspace, expand Overview ➢ Operating Systems, and select Operating System Images.
  2. From there select a Windows image and click Schedule Updates in the Home tab of the ribbon of the Configuration Manager console.

The process of updating the images is scheduled; after finishing, the wizard and the update will start automatically.

Support Windows 10. You can support Windows 10 by using the traditional way of OSD or by using the new Windows 10 Servicing features.

Master It How can you support Windows 10?

Solution

  1. Choose the Software Library workspace, expand Overview . Windows 10 Servicing, and select Service Plans.
  2. From there, create a Servicing Plan to support the servicing of the Windows 10 machines.

Chapter 10: Inventory and Software Metering

Configure and manage software inventory. Configuring software inventory has changed in Configuration Manager, although the client-processing part is almost the same as in earlier versions of Configuration Manager.

Master It By default, Configuration Manager does not inventory for any file types. Where would you go to do that?

Solution Take the following steps:

  1. Navigate to the Administration workspace; under Overview, select Client Settings, and then open the Default Client Settings properties.
  2. Select Software Inventory.
  3. Click Set Types.
  4. Click the New button, and configure the files or file types you want to include in the software-scanning process.

Configure and manage hardware inventory. Hardware inventory provides a wealth of information on the hardware resources in your organization. That information is vital when planning for things such as updating standard business software or upgrading the standard operating system your organization uses. If the standard hardware inventory collected is not enough for your needs, then you have many options to extend the hardware inventory to get that vital information.

Master It Where do you enable or disable data classes in hardware inventory?

Solution You need to open the default client agent settings or create a custom client setting. Custom client settings can only be used when you want to enable data classes that already exist in Configuration Manager. For custom classes (or to delete classes), you must modify the default client settings.

Configure and manage software metering. Keeping track of software that is installed and actually being used is a large part of being able to manage software licenses effectively. By pairing software metering in Configuration Manager with software inventory, you can get detailed information on just what software is out there and who is or is not using it. This goes a long way to help keep your software licensing in compliance.

Master It How long do you have to wait, at the very least, after you configure software metering before you can expect to see any data returned?

Solution You must wait at least 12 hours. Software Metering Data Summarization runs daily by default and will run only against data that is at least 12 hours old. This wait period is required for all software metering reports to produce any meaningful data.

Chapter 11: Asset Intelligence

Enable Asset Intelligence. If you installed Configuration Manager from scratch, you will find that Asset Intelligence is not enabled by default. Depending on the data that you want information on, you will have to select the Configuration Manager Asset Intelligence reporting classes and make sure that client agents are enabled.

Master It Which classes in the Asset Intelligence Edit Inventory Classes dialog do you have to enable to use Asset Intelligence?

Solution You need to enable the following classes in the Asset Intelligence Edit Inventory Classes dialog to use Asset Intelligence:

  • SMS_SystemConsoleUsage
  • SMS_SystemConsoleUser
  • SMS_InstalledSoftware
  • SMS_AutoStartSoftware
  • SMS_BrowserHelperObject
  • SoftwareLicensingService
  • SoftwareLicensingProduct
  • Win32_USBDevice
  • SMS_SoftwareTag

Configure the Asset Intelligence synchronization point. The Asset Intelligence synchronization point is used to connect to System Center Online to synchronize Asset Intelligence Catalog information and get periodic updates.

Master It What do you need to do in order to configure the Asset Intelligence synchronization point?

Solution

  • You need to configure it on only the CAS or stand-alone primary site.
  • You may want to obtain an optional System Center Online authentication certificate.
  • If no valid certificate is issued, you can install the Asset Intelligence synchronization point without a certificate.

Import the Microsoft Volume License Statement. In Configuration Manager you can import the Microsoft Volume License Statement and the General License Statement so that the software inventory and Asset Intelligence can count the number of licenses currently in use in the environment.

Master It What file types does Configuration Manager support for the license statements?

Solution It will be a CSV file if the file to be imported is a General License Statement. If you are going to import a Microsoft Volume License Statement, it will be an XML or CSV file. You can obtain this file by logging into the following website: http://licensing.microsoft.com. Or you can request this file from your Microsoft Technical Account Manager or Account Manager.

Chapter 12: Reporting

Install the Reporting Services point. Installing a Reporting Services site system within Configuration Manager allows not only administrators but everyone to view reports in some fashion via either different file formats or a direct link within the Report Manager Website.

Master It What is the procedure to enable Reporting with Configuration Manager?

Solution Open the Configuration Manager console, and do the following:

  1. Navigate to the Administration workspace.
  2. Expand Overview ➢ Site Configuration ➢ Servers And Site System Roles.
  3. Right-click the server and select Add Site System Roles.
  4. Select Reporting Point Role and follow the rest of the wizard.

Manage reporting security. Reporting security is an integrated part of the built-in security. You provide users with access to reports by adding them to a predefined security role or by creating a custom role with permissions to run or modify reports.

Master It Add users to a security role that is able to view reports.

Solution Open the Configuration Manager console, and do the following:

  1. Navigate to the Administration workspace ➢ Overview ➢ Security ➢ Administrative Users.
  2. Click Add User Or Group from the ribbon.
  3. Then select Read Only Access.

Create and manage report subscriptions. Creating subscriptions can be very helpful in many scenarios. You can configure subscriptions from Report Manager or in the Configuration Manager console.

Master It Create an email-based subscription.

Solution Open the Configuration Manager console, and do the following:

  1. Navigate to the Monitoring workspace.
  2. Expand Overview ➢ Reports.
  3. Select the report, and click Create Subscription from the ribbon.

Create custom reports. You may find some scenarios where the included reports in Configuration Manager may not meet your reporting needs and you need to create a custom report.

Master It Create a custom report. Determine whether the query in the report should use table functions or views.

Solution Open the Configuration Manager console, and do the following:

  1. Navigate to the Monitoring workspace.
  2. Expand Overview ➢ Reports, and select the appropriate folder.
  3. Click Create Report from the ribbon to start the process in Report Builder.

Chapter 13: Compliance Settings

Enable the client settings. Until the client settings are enabled for your Configuration Manager clients, your clients will not evaluate any of the configuration baselines. This is the first step in using Compliance Settings to validate client settings.

Master It Enable Compliance Settings for the Configuration Manager clients.

Solution In the Compliance Settings section of the client settings, set Enable Compliance Evaluation On Clients to True.

Create configuration items. Configuration items are the pieces that make up a configuration baseline. There are a number of different configuration item types in Configuration Manager, and depending on the type you choose to create, you are presented with certain options when creating your configuration item. The steps to create configuration items were covered in the first part of this chapter, and they included several examples of how to create the different types of configuration items.

Master It Create a configuration item for an application that checks a registry string value.

Solution Start the wizard from the Assets And Compliance workspace, Compliance Settings node; make sure you have Configuration Items selected, and right-click it. Choose Create Configuration Item. In the wizard, complete the following settings:

  1. On the General tab, enter appropriate information for these fields:

    Name: Application name and value description

    Description: Configuration item for …

    Categories: Add categories

  2. On the Settings tab, choose New Settings Registry Key from the menu and enter the information for the Configuration Item.

Define a configuration baseline. This is where you take one or more of the CIs and put them into a package that the Configuration Manager client downloads and at the scheduled time validates by checking the CIs against the computer. The Configuration Manager client then reports the outcome of those checks back to Configuration Manager, where you can then run reports to see if your clients are within the specified configuration. These steps were covered in the last section of the chapter.

Master It Assemble a configuration baseline with one or more configuration items you have created.

Solution Follow these steps:

  1. In the Assets And Compliance workspace, expand Compliance Settings, and then choose Configuration Baselines.
  2. Right-click and choose Create Configuration Baseline.

  3. Enter an appropriate name and description for this baseline, and select or create any categories necessary.

    The Configuration Data list displays all the configuration items or configuration baselines that are included in the configuration baseline.

  4. Click Add to add a new configuration item, and choose the configuration items you have created.
  5. Click OK and Apply, and your baseline will be created.
  6. Deploy the configuration baseline to a collection.

Chapter 14: Endpoint Protection

Deploy and configure the Endpoint Protection site system and client. The three main components of enabling Endpoint Protection are as follows:

  • Install and configure the Endpoint Protection site system.
  • Enable and configure the Endpoint Protection client.
  • Configure the antimalware policies.

Master It Do you need to create a package or application to deploy the Endpoint Protection client? Do Windows 10 computers use the Endpoint Protection agent?

Solution No. The installation media for the System Center Endpoint Protection client (SCEPInstall.exe) is distributed to the managed devices as part of the Configuration Manager client install media. Remember that the SCEP client won’t actually be installed on managed devices until the Endpoint Protection client is enabled and configured in an assigned client settings policy. Also remember that the Endpoint Protection client cannot be enabled until the Endpoint Protection site system role is enabled.

Create and assign an Endpoint Protection policy. Endpoint Protection has two types of policy:

  • Antimalware
  • Windows Firewall

The antimalware policy is used to define the antimalware settings, whereas the Windows Firewall policy can be used to control the configuration of Windows Firewall on managed computers. Both types of Endpoint Protection policies are created and modified in the Configuration Manager console.

Master It If you modify the default client antimalware policy and also create a custom antimalware policy with different values for the settings and apply it to a collection, which settings will be applied?

Solution Changes made to the default policy will be applied to all managed computers in the environment. However, the custom policy will override any settings that are in conflict with the default policy.

Chapter 15: Role-Based Administration

Understand the role-based administration model in Configuration Manager. SMS and Configuration Manager 2007 used a class and instance security model, which could be confusing at times. Configuration Manager now adopts the RBAC model, thereby making the administration of security in Configuration Manager a less-daunting task.

Master It What does RBAC stand for? And what does role-based administration mean?

Solution RBAC is an acronym for Role-Based Access Control and is the security model used in many products in the System Center suite, including Configuration Manager.

Role-based administration means that the Configuration Manager administrator can use a combination of security roles, security scopes, and collections to define what the administrative users can view and manage. Configuration Manager has the ability to apply role-based administration to reports as well, greatly simplifying the process of securing access to report data.

Distinguish security roles from security scopes. Security roles and security scopes are important components of the role-based security model in Configuration Manager.

Master It Can you identify the key differences between a security role and a security scope?

Solution The primary difference between the two is that a security role is used to organize tasks or functions, whereas a security scope is used to define access to objects. The security role is the action (or lack thereof if trying to block access), whereas the security scope is what is acted upon (or lack thereof if trying to block access).

Understand which objects in Configuration Manager define an administrative user. The administrative user consists of the security role, the security scope, and collections. In this chapter you learned the differences between a security role and a security scope, and you know that collections can be used to control the objects that an administrative user can access.

Master It As the Configuration Manager administrator, do you need to create a custom Configuration Manager console so that the administrative user can see only what you want them to see?

Solution No. The beauty of the role-based administration model is that users will see only what they have access to in the Configuration Manager console. You do not need to provide a modified console for them. They simply log on to the environment with their administrative user account and open the Configuration Manager console, and they will see only the objects they have access to. Objects that they do not have access to will be hidden.

Understand how to simulate permissions in the Configuration Manager console. The RBAC model in Configuration Manager greatly simplifies the process for creating administrative users and defining what objects in Configuration Manager they can access.

Master It Besides the Configuration Manager console itself, what other tool can you use to simulate Configuration Manager user security and verify that the security model will provide the desired level of access?

Solution Use the RBA Viewer application from the Configuration Manager Toolkit. It will allow you to easily define new security roles, simulate the access the new role will have in the Configuration Manager console, and provide the ability to simulate the console experience under a specific user account.

Chapter 16: Disaster Recovery

Configure backups for Configuration Manager sites. Backing up Configuration Manager sites can be automated by scheduling the Backup Site Server maintenance task. When the Configuration Manager backup service (SMS_SITE_BACKUP) starts, it uses instructions in the backup control file, located at

[ConfigMgr Install Location]Microsoft Configuration Manager\Inboxes\smsbkup.box\smsbkup.ctl

Master It Recovering a complete Configuration Manager site is only supported with site backups from what source?

Solution The backups must be created by the Backup Configuration Manager Site Server maintenance task.

Archive backup snapshots to another location. The Backup Site Server task creates a backup snapshot and can be used to recover a Configuration Manager site system if it fails. The next time the backup task runs, it makes a new backup snapshot that will overwrite the one that was made during the last snapshot. This could be a problem if the current backup snapshot becomes corrupted for some reason, because there is no other backup to restore from.

Master It What process could you use to copy backup snapshots from the site server to a new location?

Solution You can use AfterBackup.bat.

Reinstall the site components and reset file and registry permissions to their default settings. It’s possible that at some point the site will have issues or become corrupted. Or maybe the Configuration Manager folder permissions were modified and are impacting the functionality of the site.

Master It How can you restore the file and registry permissions without performing a complete restore?

Solution Run setup.exe from the Start menu or from the <Configuration Manager installation directory>\Microsoft Configuration Manager\bin\x64 folder. Select Perform Site Maintenance Or Reset This Site and click Next. On the Site Maintenance page, select Reset Site With No Configuration Changes and finish the wizard.

Chapter 17: Troubleshooting

Create a basic maintenance plan. Setting up a basic maintenance plan is a vital step to ensure the proper health of your Configuration Manager (Current Branch) hierarchy.

Master It How do you create a basic maintenance plan?

Solution Develop a plan, similar to the guidelines discussed in the section “Creating the Maintenance Plan” in Chapter 17. Review and modify the plan on a biannual basis, and update it throughout the year to ensure nothing gets overlooked and the documentation is up to date with the current design of the Configuration Manager site.

View log files using CMTrace. Although using CMTrace is not a requirement for viewing log files, it is highly recommended because CMTrace constantly monitors the opened file for updates.

Master It Explain how to use CMTrace to view log files.

Solution Configuration Manager CMTrace is located on your installation media in SMSSETUP\Tools\cmtrace.exe. Click File, browse to the log file you want to review, and open it.

Troubleshoot DRS replication. To view the current status of the Configuration Manager DRS replication and to know the latest information about the changes being requested on the site, it’s important to be familiar with the log file and the replication process.

Master It To view the latest changes on the replication process, what log file do you need to open?

Solution Locate the RCMCtrl.log file and open it using CMTrace. Locate the DRS initiation and RCM changes.

Other solutions might include executing the spDiagDRS stored procedure to view the current replication status and details about the data that is being replicated. You can find more details about the RCMCtrl.log at the beginning of Chapter 17.

Chapter 18: Enterprise Mobility and Configuration Manager

Detail the differences between lite and depth management. The management options and settings available for mobile devices will vary depending on whether lite- or depth- management options are in place.

Master It List MDM capabilities for lite versus depth management.

Solution Lite management of devices allows for limited device inventory, settings management, and remote wipe.

Depth management of devices allows for over-the-air enrollment, full inventory, more complete settings management, software distribution, and remote (selective) wipe. Also, on-premises MDM is considered to be depth management.

Understand how to configure MDM. Properly configuring MDM requires addressing several potential scenarios. From a Configuration Manager perspective, though, the choice is simple: lite or depth management.

Master It List the items that need to be configured for both lite and depth management.

Solution Lite management requires a properly configured ActiveSync connection between the Exchange server and managed devices as well as proper configuration of the Configuration Manager Exchange ActiveSync connector.

Depth management requires configuring the Service Connection Point and using Microsoft Intune as a middle tier between your Configuration Manager environment and your mobile devices.

The second option involves the proper configuration of an enterprise certification authority, Active Directory, and several different site system roles. The site system roles include the enrollment point, enrollment proxy point, device management point, and distribution point to be able to support the on-premises management of Windows 10 and later versions via the MDM channel.

Understand the depth-management enrollment process. From the user perspective, the enrollment process for depth management is straightforward. Behind the scenes, there are a number of moving parts. Each of these components is critical to the enrollment process.

Master It List the components required to enroll depth-managed devices.

Solution

  • Enrollment Web Proxy site system role
  • Enrollment Service Point site system role
  • Management point enabled to support mobile devices via HTTPS
  • Distribution point enabled to support mobile devices via HTTPS
  • Enterprise Microsoft certification authority
  • Active Directory services
  • Microsoft Intune subscription
  • Service Connection Point