- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
The good news is that the AD Schema extensions are the same as for the 2007 / 2012 / 2012 SP1 versions so if you have already extended the schema you do not need to do it again. It’s still a pretty daunting task to setup SCCM 2012 R2, this hydration kit can help (at least for PoC or evaluation environments).
The only supported upgrade path is through Configuration Manager 2012 SP1 and you start with the site servers is in the Central Administration Site (CAS) if you have one, or your primary sites, this is followed by upgrading your secondary sites through the Configuration Manager console. There’s a small problem with the upgrade process that will be avoided if you allow the setup program to download updates, if some of your site servers aren’t connected to the internet use the Setup Downloader to have the updated files ready. As in earlier versions you can migrate (a side by side installation) from SCCM 2007 SP2 to 2012 R2.
When setting up a primary or central administration site you can now specify non-default file locations for the database files. There’s a new site system role: the certificate registration point that runs on IIS and works with the Network Device Enrollment Service.
For good information of which OS is supported for site servers and for clients see here, the short version is that Windows Server 2012 R2 works for site servers and Windows 8.1 / 2012 R2 client support has been added to SCCM 2007 SP2, 2012 SP1 and of course 2012 R2.
Client management ^
Mac computers can now have the client certificate installed and be enrolled using a new wizard, instead of having to use the CMEnroll command line tool and there’s also a wizard to renew client certificates.
If you have multiple client settings applied to devices you can use the new Resultant Client Settings to view the effective settings that will be applied, similar to Group Policy Resultant Set of Policies wizard. Clients (including mobile devices) can now be assigned to another primary site in the hierarchy, either one-by-one or in bulk.
Another useful new addition to SCCM is Remote Connection Profiles that lets you push out Remote Desktop Settings to users so they can access their primary work computer(s) remotely, if you’re using Intune the connection is seamless, if not the user just needs to establish a VPN connection so they can then connect to their PC.
Maintenance windows can now apply to software updates only, task sequences only or to all deployments. You can also use the new Preview button to verify that your property filters and search criteria are correct when you define an automatic deployment rule.
Also new are Certificate Profiles that lets you deploy user and device certificates for managed devices through Simple Certificate Enrollment Protocol (SCEP) for iOS, Windows 8.1 / RT and Android devices. This new functionality ties in with the Windows Server 2012 R2 Active Directory Certificate Services (AD CS) and Network Device Enrollment Service roles through the Configuration Manager Policy Module that you install on the AD CS server. The overall net effect is simplicity when working with certificate based security for WiFi connections or when using PKI to control access to company resources from personal devices.
Microsoft is showing that they’re serious about managing mobile devices on any OS; VPN settings and certificates are certainly one of the hardest things to keep track off.
VPN Profiles is my favorite new feature – this lets you push out connection icons to Windows 8.1, RT/RT 8.1 devices as well as iPhones / iPads with iOS 5-7 automatically. All the user has to do is tap the connection or alternatively if you’re using automatic VPN connections per application the connection will be made when the app is started. Automatic VPN is only supported on Windows and iOS devices currently and it’s based on the DNS address that an app is trying to access to activate the functionality.
VPN Profiles support Microsoft VPN technologies as well as third party ones (Cisco, Juniper, F5 Edge, SonicWall, Check Point). This feature also ties in with the previous one and lets you use Certificate Profiles to deploy any needed certificates for VPN connections.
The ability to manage VPN settings for both Microsoft and third party through profiles is potentially the biggest time saver in this version of Configuration Manager.
There’s a new deployment type for applications called Web applications which pushes out a shortcut to a web based app, SCCM 2012 R2 also supports the new appxbundle package type that was introduced in Windows 8.1.
You can now work with virtual hard disks in the SCCM console for OS deployments as well as specify a PowerShell script to run on a client during an OS install.
Mobile devices ^
For Android (4.0+) devices there’s a company portal app that includes the management agent which lets you control password, encryption and camera settings, for iOS (6.0+) there’s a similar app that controls password settings and lets users enroll, unenroll and wipe company data from their devices. The biggest improvement is probably the option to wipe only company content from a device, in earlier versions the only option with a local or remote wipe was to delete all data from devices.
You can also choose if devices are Company- or Personal-owned, with the former option you get a full software inventory and you use the Change ownership action to move devices from state to state. For app deployment to Windows RT, iOS and Android you can now set an app to Required so you can schedule installations more efficiently.
Reporting is now fully compliant with role-based administration so a particular can only view the information defined for their role.
If you’d like to dive into the deep waters of really understanding SCCM I’d recommend the quizzes that the product team produces and keep regularly updated – find them here.
Overall the additions to SCCM in this version will be welcomed by real sysops in the trenches, particularly if they’re dealing with BYOD and device management (who isn’t these days). These