A service pack is often a collection of hotfixes and maybe one or two new features. Microsoft System Center 2012 Configuration Manager Service Pack 1 (SP1) is an exception to the rule. It's full of so many new features that it should be called a feature pack. I'll summarize my personal top 5 favorites and explain why the SP1 release is a must-install.
1. Support for Windows 8 and
Configuration Manager now supports all site systems that run on Windows Server 2012, including the primary site server. There is also full feature support for Windows 8. And some new features—such as metered networks, user data and profiles, and modern style applications—are supported only on Windows 8.
Metered networks. Metered networks in Windows 8 protect users who connect via connections such as 3G or 4G (which have a cost associated with data transfer) from getting a huge bill from their cell providers. With Configuration Manager, you can control the download behavior for each deployment and each device, as Figure 1 shows.
To control who can download while connected to a metered connection, create a new custom client device setting in the Administrator workspace. Choose Metered Internet Connections. Choose Allow under Device Settings, as Figure 2 shows.
- Close the custom settings and deploy them to a collection of laptops.
For each deployment, you can configure whether to allow the download and installation on metered networks, as Figure 3 shows.
User data and profiles. User data and profiles have been around in Microsoft environments for a long time. However, they were previously accessible only through Active Directory (AD) and Group Policy Objects (GPOs). Now, Configuration Manager allows administrators to manage and report on user profile settings such as folder redirections, offline files, and roaming profiles. The main benefits of controlling user data and profiles in Configuration Manager instead of in AD are the flexibility and the ability to configure the feature in a reporting-only mode. As with any other deployment, you simply create the settings and deploy them to a collection. Working with collections does not require users to log off or restart computers.
- Start the user data and profiles process in the Asset and Compliance workspace.
- Choose Compliance Settings, User Data and Profiles. Click Create User Data Profiles Configuration Item on the Ribbon.
Select the settings that you want to control (as Figure 4 shows) and click Next.
On the Folder Redirection page, which Figure 5 shows, you can configure a few settings, control which device the settings will apply to, and configure thresholds for alerts and warnings.
The next setting to control is offline files, as Figure 6 shows. Again, most of these settings can also be controlled by Group Policy, but that method doesn't give you the monitoring option or flexibility of using collections.
Finish the wizard and click Deploy on the Ribbon. In the Deploy User Data and Profiles Configuration Item dialog box, assign a user collection and set automatic remediation and compliance thresholds. See Figure 7 for an example.
2. Windows PowerShell Support
Long have we been waiting for true PowerShell support in Configuration Manager. Finally, the wait is over. Microsoft envisions that all features in the Configuration Manager console will be available as PowerShell cmdlets. Microsoft will continue to add more PowerShell cmdlets in upcoming cumulative update releases. The most recent release, CU1, adds 40 new cmdlets, bringing the total number to 511.
You can launch PowerShell from within the Configuration Manager console. Doing so also launches the Configuration Manager module. Or you can launch PowerShell and manually launch the Configuration Manager PowerShell module.
- To open the Configuration Manager Administrator console, choose Start, Connect via Windows PowerShell.
- In the PowerShell console, enter A (to always trust the publisher) and press Enter.
Get-Command -Module ConfigurationManager
and press Enter to list all the Configuration Manager cmdlets, as Figure 8 shows.
The built-in cmdlets will make your life as a Configuration Manager administrator easier. Figure 9 shows how to create two new collections: a device collection and a user collection. Note that each collection is limited to another collection.
Use these commands, respectively:
New-CMDeviceCollection -Name "CT All Workstations" -Comment "My first collection created with PowerShell" -LimitingCollectionName "All Systems"
New-CMUserCollection -Name "SWU Microsoft Office 2013 Install" -Comment "All users in this collection will get Microsoft Office 2013 installed" -LimitingCollectionName "All Users and User Groups"
Collections gain their member lists via collection rules. A rule can be a dynamic query or a direct membership rule; it can include or exclude members from another collection. The first of the following sample cmdlets uses PowerShell to create a direct membership rule that adds an AD group as a member of the SWU Microsoft Office 2013 Install collection. The resource ID can be found by looking at the properties of each object in the Configuration Manager console. The second sample cmdlet shows how to create a dynamic membership query that adds all workstations as members of the CT All Workstation collection.
Add-CMUserCollectionDirectMembershipRule -Collectionname "SWU Microsoft Office 2013 Install" -ResourceId 2080374411
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "CT All Workstations" -RuleName "All Workstations" -QueryExpression 'select * from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%workstation%"'
These are just a few examples of how PowerShell comes in handy. With more than 400 cmdlets, the sky is almost the limit of what you can do.
3. New Operating System DeploymentFeatures
In Configuration Manager 2012 release to manufacturing (RTM), Operating System Deployment(OSD) was basically the same as in Configuration Manager 2007. But that has all changed in SP1. Besides finding full Windows 8 and Windows Server 2012 support, you will also find new features that you can use when deploying Windows 7 and even Windows XP computers.
The first thing that you'll notice when upgrading to SP1 is that you need to uninstall the Windows Automated Installation Kit (WAIK) and instead install the Windows Assessment and Deployment Kit (Windows ADK). All your old boot images will be replaced with the standard WinPE 4.0 boot image. These are some of the coolest new features:
Windows BitLocker Drive Encryption enhancements allow BitLocker to be provisioned in WinPE (as Figure 10 shows) and encrypt data as it's added. A BitLocker process now takes a few minutes instead of several hours.
Prestaged media now supports the storage of all content, packages, drivers, and so on. If content changes between media creation and deployment, new content is automatically downloaded from the distribution point. This change is a huge benefit because we often have scenarios in which prestaged media can be several weeks old before reaching its destination. You can also use the prestaged media file and wtgcreator.exe application in the \OSD\Tools\WTG\Creator folder on the site server to create a Windows To Go deployment, as Figure 11 shows.
- Unified Extensible Firmware Interface (UEFI), which replaces the grand old BIOS in newer hardware models, is supported. The main benefits of UEFI are faster boot and support for the latest and greatest hardware.
New deployment options, as listed in Table 1, provide administrators with much more control of the deployment process.
Table 1: New Deployment Options
Only Configuration Manager client
This option is useful in refresh scenarios when you want to start the OSD deployment process from a working OS.
Configuration Manager clients, media, and PXE
In this classical deployment option, the task sequence is visible in all environments.
Only media and PXE
This option is used for bare-metal deployments in which the computer is not booted into an existing OS.
Only media and PXE (hidden)
This option allows the administrator to deploy multiple required task sequences and to automatically select which one to run at deployment. Administrators can use the built-in variable SMSTSPreferredAdvertID.
- Preboot Execution Environment (PXE) provides better logging. Also, the Configuration Manager 2007 monitoring experience is back, which allows administrators to once again monitor all the OSD phases in reports and in the Configuration Manager console.
- Much of the support that we are used to seeing in the Microsoft Deployment Toolkit (MDT) is now built into Configuration Manager. Some of the most useful changes add support for additional components in WinPE, such as PowerShell, and add custom files in the boot image.
Configuration Manager SP1 offers you a much better way to control your OSD deployments. OSD is powerful feature, but one failure and you can end up re-imaging 1,000 desktops and 250 servers. Oh yeah, that has happened before—but hopefully won't anymore, thanks to these new options (see Figure 12).
You can use this simple Visual Basic (VB) script in the boot image to select a hidden task sequence:
set env = CreateObject("Microsoft.SMS.TSEnvironment")
env("SMSTSPreferredAdvertID") = PS10000B
4. New Software Update Management Features
You won't find as many changes in software updates as in some other areas of Configuration Manager. But the changes that you do find can have a huge impact in your environment:
- SP1 includes support for multiple software update points. A limitation in Configuration Manager 2012 RTM was that it supported only one software update point (with the exception of an Internet-based software update point). The change might not sound that big, but it makes a huge difference in environments in which a single primary site covers multiple forests with and without a trust relationship. Prior to SP1, you needed to allow all clients from all forests and domains access to one software update point—and then deal with the consequences for security and firewalls. Now Configuration Manager supports installation of a software update point, management point, distribution point, and application point (all user-facing site systems) in a remote forest.
Now you can automatically clean up expired updates from distribution points and source locations, greatly affecting the amount of content that is replicated to distribution points. It is not uncommon to see software update packages of 10 to 30GB. Often, 10 to 20 percent of that content is expired; expired updates can't be installed on clients and are a waste of disk space and replication. The cleanup task is fully automated and can't be controlled. You can monitor the cleanup process by reading the wsyncmgr.log file on the primary site server, as Figure 13 shows.
- Allowing fallback to Microsoft Update when updates are unavailable at the distribution point is a new deployment feature that allows Configuration Manager 2012 SP1 clients to fall back to the cloud and download binaries that aren't found locally. This feature is completely transparent for the end user and isn't the same as allowing the end user real-time access to Microsoft Update.
5. Platform and Infrastructure Changes
Say "cloud," and many administrators will tell you about many applications—none of which used to be in Configuration Manager. But that all changes with SP1. Now we see cloud integration on site systems, in client support, and—as previous mentioned—as a fallback solution for software updates.
- Windows Intune has long been a standalone cloud-based solution with features such as application deployment, inventory, patch management, and endpoint protection. SP1 introduces a Windows Intune connector that gives the administrator a single pane of glass to manage Windows Intune enrolled devices in the Configuration Manager console. The list of supported devices expands beyond traditional Windows devices (although feature support differs between devices):
- Apple iOS (iPad and iPhone)
- Google Android
- Windows 8 Phone
- Windows RT
- The cloud-based distribution point is a Windows Azure solution in which content is stored in the cloud. There are several benefits of using a cloud-based distribution point:
- The cloud distribution point can be used as a fallback solution.
- Clients will fall back to the cloud distribution point only if the requested content is unavailable on the local or remote distribution point.
- The cloud-based distribution point can be used by Internet-based clients.
- The solution does not require a full public key infrastructure (PKI) environment.
- The solution is a dynamic one in which you can change the content requirement on the fly.
- The cloud-based distribution point is managed in the same way as an on-premises distribution point.
- The pull distribution point is a new on-premises distribution point role. A pull distribution point is not controlled by the site server in the same way. Traffic to the pull distribution point honors neither bandwidth control nor scheduling. Instead, the site server sends a message to the pull distribution point, informing it that content is available and can be downloaded from one of the pull distribution point partners.
- Another infrastructure change is the ability to add a new central administration site to an existing primary site. This can be done only once in the hierarchy.
- Migration from other Configuration Manager 2012 SP1 sites is also supported. Previously, migration was supported only from a Configuration Manager 2007 SP2 environment.
- Microsoft SQL Server replication has been optimized, which is extremely useful when you are working with multiple sites.
- There is support for Mac OS clients. The supported features are application deployment, settings management, and inventory management. Mac OS support requires that you implement PKI and have HTTP Secure (HTTPS) support on at least one management point, distribution point, enrollment point, and enrollment proxy point.
- There is support for UNIX and Linux servers. Supported features include malware protection, software deployment, and inventory management. The UNIX support does not require any changes in the infrastructure.
More Than Expected
I hope I've proven that Configuration Manager 2012 SP1 is more than just another service pack with a few bug fixes. With support for the cloud and new OSs (both Microsoft and others), as well as several feature improvements, this pack offers much more than you might expect.