IDEA: Store your SCCM sourcefiles in a location called "Source FIles".

You can p lace your packages, imagefiles and updates in separate folders here. =================================================== LESSON 12: DEPLOYING SOFTWARE UPDATES =================================================== - The process of deploying sotware updates is relatively easier to put together. - Software update is easier to use in SCCM 2007 partly because it works with WSU S. - For us to be able to use software updates deployment in our SCCM environment, we have to install WSUS on our SCCM server. - The software update feature also works with the Software Update client agent a nd Site role. The site role works with SCCM to pull down the files. - Deployment templates and packages are how you get to define the updates that g et pushed down to your clients and how they get pushed down. - With this feature, we will not only deploy updates but we will also report on updates. # WSUS - SCCM relies on WSUS to handle updating the list of metadata and pulling the u pdates down from Microsoft. - WSUS itself has some limitations on how it can be managed. It relies on OUs an d the deployment of group policies to successfully deploy patches out to machine s. 1. First we need to install WSUS on our SCCM server. We will need to determine i f we want to store the updates locally or we want to have our machines install t he updates from Microsoft. If we decide to store updates locally, we will need t o make sure that we have more than enough disk space to contain the updates that we will be deploying (The default location is C:\WSUS) - We will need to create a separate WSUS 3.0 SP1 website. It is very important t hat we write down what the port number is as we will need it later (to connect t o our WSUS infrastructure). - We usually use the default settings apart from the one setting that we changed from the default IIS website to WSUS 3.0 website. - We will install WSUS but we will use SCCM to manage our WSUS service and infra structure.

2. Second we need to verify that our SCCM infrastructure is ready for software u pdate deployment. n t k a Client Agents --> Software Updates Client Agents (Enabled by default)... we ca choose to enforce mandatory deployments and hide all deployments from end poin users... we can also configure deployment re-evaluation to get clients to chec the status of deployed updates and re-install failed deployments.. we can set schedule for this.

- Site Systems --> Install the Software Update Point role... The software update point role connects SCCM to the WSUS instance... In a case where WSUS is instal led on a separate system from the SCCM server, we will need to install separate components (WSUS administration console must be installed on the site server... ) so that SCCM can connect with WSUS.... During the sync source phase, we config ure WSUS via SCCM and reporting to view what is going on the clients (whether up dates are succeeding or failing).... We can select which updates we want to down load under 'classifications'; 'products' (for Microsoft product updates); and 'l anguages' - We can edit these properties later under COmputer Configuration. 3. Complete the synchronization to see what sort of updates that we have availab le. - Computer Management --> Software Updates --> Update Repository (Repository of all the updates that have been brought down from Microsoft) --> Right click and run synchronization (this synchronizes our local instance with the repository at Microsoft). - This can take a substantial amount of time (especially if this is the first ti me) but when it completes, we will be able to see lists of updates that we can d eploy to our clients. - We can see how many clients have the updates installed and how many clients re quire the installation.

# Deploying Updates to our clients. 1. Create a new deployment template. - This creates a template that instructs the clients that are assigned this temp late how they will be processing their client updates. - We can have different templates. For example, we can have a template that stat es that clients can update within 5 days or certain event or restart settings. W e can also have a high priority or emergency template that restricts the amout o f time that clients have to apply the updates (maybe we have a high priority pat ch and we dont care if our systems have to be rebooted in the middle of the day. . we just want the patch to be installed as quickly as possible). - A template is a structure that defines how updates will get applied to clients . 2. Identify the updates and patches that we want to get deployed using our deplo yment template. - Create a new update list by selecting the updates that you want to deploy by r ight clicking and selecting update list. In this case, we are crwating a list of updates that we will deploy... we can create a new update list here. - Now we have a template that describes how our updates will be deployed, we hav e an update list that lists the updates that will be deployed. The next thing is to create a deployment package which is the mechanism by which our updates get deployed

- Create a new deployment package.. we can call it something like April Monthly Package... we will need to select a package location source (this is where files that are downloaded from Microsoft based on our selected list will be stored).. we can also select distribution points for hosting this.

3. Deploy the update by right clicking on the update list and deploy it. - NOTE that software update packages dont get distributed through the Software U pdates Distributions Node.

============================================= LESSON 13: METERING SOFTWARE USAGE ============================================= - Allows you to understand not only the softwares installed in your environment (because SCCM already has this in SOftware inventory) but WHEN people are using the softwares and HOW they are using them. - It helps you to determine: Have you overbought software? Do you need to buy mo re software? Are people actually using the software that you have bought? # Client Agent - Enable the client metering software agent. Schedule the data collection task t oo.

# Metering Rules - COmputer Management --> Software Metering. - What Software metering does is almost like a stop watch. It times the amount o f time that the firefox.exe or vmware.exe is actively in use. - We can check this node to see if the software metering rule has actually been enabled. We can rightclick and select enable and this causes the software meteri ng client agent to begin to collect information on the usage of the file. - We can also create new metering rules. For example a rule for Microsoft Word 2 007 (winword.exe; version: 12.*).. There is nothing else tha we need to do for o n the client side or server side.

# Metering Reports - We need let this rule be enabled for a while to collect statistics and then we can go under the report node to view reports related to software metering (repo rts with a category of software metering). Examples include: ~ Total Usage for all metered software programs.

~ Computers that have a metered program installed, but have not run the program since a specified date... We can find Users who have the applications installed but are not using them and we can use this to know which licenses to harvest for use elsewhere. - NOTE that it takes a while for statistics to be collected.

============================================== LESSON 14: DESIRED CONFIGURATION MANAGEMENT ============================================== - DCM was first released in SMS 2003 as an optional add-on pack but it has a who le new different way to it in SCCM 2007. - It helps you to know when certain configurations are not up to snuff. If you a pplications, security configurations or mandates from your organization or compl iance or your security department.. any of which says your machine must follow a certain baseline, and you need a way of managing that baseline and seeing when your computers are at or not at that baseline, SCCM's DCM is a feature tha enabl es you to do this. - DCM uses the SCCM client agent to look at specific configurations on machines (whether they be the OS or files or folders, or registry keys, or even AD) to re peatedly analyze them for a long perios of time and reports to you if the machin es dont meet up with the specified configuration. - This helps to look across our environment to see which machines are correctly configured (or incorrectly configured) in line with a baseline that we have spec ified.

# Client Agent - Make sure that the Desired Configuration Client Agent is enabled and configure d for use. # Baselines and Configuration Items - How to create a baseline and configuration items (these are the two things that we monitor with DCM) - After enabling the desired configuration client agent, the next thing to do is to identify the configuration that is of actual interest to us. - It could be a security configuration (e.g. we want to make sure that our AD is configured in a certain way so that it supports our security requirements), or an application configuration (we know that when an pllication is not configured properly, it breaks and we want to make sure we can solve the problems before th ey affect our users).. or it could be our desktop configuration.. - NOTE that DCM does not have the ability to remediate or fix the changes in con figuration when they occur, the only thing it can do is to notify you. ***** E.G. For Acrobat reader, if the following registry key is disabled, it cau se problems. So we will use DCM to monitor this.

HKLM\Software\Adobe\Acrobat Reader\8.0\Installer\Optimization "Enabled" REG_SZ = YES **** 1. Create a configuration item which in this case will be the registry key that we want to monitor. - Desired Configuration Management Node --> Configuration Item --> New --> Appli cation Configuration Item. - We can create a configuration item related to an Application or an Operating S ystem or a General Configuration Item. - We can choose to detect if the application is installed by using MSI detection or by using a custom script or we can even set it to always assume that the app lication is installed. - Under object we can test if the object is even present.. New --> Registry Key (we can also choose file or folder).. we can choose the kin d of error to report if the object is not even present. 2. Create a new baseline.. A baseline is a collection of configuration items (wh ether registry, files or folders). 3. Apply the baseline to a collection by right clicking and selecting: "Assign t o a collection".

# Reports and COmpliance - There are a lot of default reports under the category: "Desired Configuration Management". - We can find out information about our DCM in our environment.

# PreConfigured Baselines - DCM seems complicated and it is. We really need to understand what are our AD configurations and what are our OS configurations.. and registry keys.. there ar e a lot of stuff that we can create baselines for in our environment. - However, we can inject in already configured best practices.. from Microsoft a nd a lot of other 3rd party websites. - Microsoft has created a lot of configuration packages (or config packs).. One of these is the SCCM 2007 Vulnerability Assessment (VA) Config Pack. - This can be downloaded freely from the Microsoft Website. (The Microsoft System Center Ma rket Place: http://systemcenter.pinpoint.microsoft.com/en-US/applications/search ?q=Configuration%20Pack ) - The VA config pack looks for various best practices associated to vulnerabilit ies or security in our environment. We can install it into our SCCM environment

and use it as a starting point for other baselines. When it is installed, the CA B file in the installation location is the location where our the Configuration Items are stored. - These can be imported by right clicking the Configuration Baselines node and s electing "Import Configuration Data".. - All these are best practices for the different elements that we can now use as baselines without having to create them by ourselves. - After installing the Vulnerability Assessment Config Pack, we now have four ne w baselines: IIS Baselines, WIndows Baselines and SQL Server Baselines. What thi s means is that DCM checks: ~ If IIS is installed and if it is installed, the defined configuration items mu st be properly configured. e.t.c.

================================================ LESSON 15: REMOTE TOOLS AND WAKE ON LAN FEATURES ================================================ - To use remote assistance, we will need to add the remote assistance feature vi a server manager on our SCCM server. - Remote Desktop will also need to be enabled on our client machines for Remote tools to work. - Systems can be awoken from various sleep states using something called a 'magi c packet' to allow them to receive various updates or deployments that we want t o do during the maintenance window. # Enabling Remote Tools 1. Enable the Remote Tools Client Agent.. we can prevent local users from changi ng policy or notification settings in the remote control panel. - Selecting the option to ask for permission when an administrator tries to acce ss clients means that someone will have to be present at the machine to give the admin permission before remote support will be possible. You might want to unch eck this option if your goal is to be able to remote into machines even when Use rs are not present (but this is based on the remote access policy of your organi zation). - Under Security, we can select which Users in our environment are allowed to us e remote access tool in the SCCM console. # Enable Wake on LAN (on the server side and on the client side).. There are thr ee areas for Wake on LAN functionalities to be enabled for us to be able to make use of Wake on LAN. *** The Out of Band Service Point role must be installed. We must enable this si te system role and provision computers for out of band management before wake on LAN will be able to power on computers *** 1. Enable the Wake on LAN functionality in SCCM by right clicking on the site na

me --> selecting properties and enable wake on LAN. 2. ON THE CLIENT NETWORK ADAPTER, Advanced properties --> Wake up capabilites mu st be enabled. - ON THE CLIENT NETWORK ADAPTER, Power Management capabilities of the card.. we must allow the device (NIC) to bring the computer out of standby... we must also allow management stations to bring the computer out of standby (this enables th e NIC to be listening for wake on LAN packets) and allow the computers to turn o ff the device to save power. 3. ON THE SERVER.. We need to enable Wake on LAN under individual advertisements . - Under advertisement properties, we can select the option to enable wake on LAN . *** # Using Remote Tools. - Right Click the system object in SCCM and select Start --> Remote Tools or Rem ote assistance.

=========================================== LESSON 16: NETWORK ACCESS PROTECTION (NAP) =========================================== - The concept of NAP is somewhat complicated and needs patience and practice to understand. # Explaining NAP - WHat exactly is NAP attempting to do?

# 5 types of NAP. - Based on the type of protection that you want for your network there are diffe rent options for you.

# COmbining NAP and SCCM (Prerequisites; Installation and COnfiguration; Capabil ities) - After we understand what NAP is, what it does and how it works, then we will l ook to understand - One of the first prerequisites of using NAP in SCCM is to first have a NAP inf rastructure setup and depending on what sort of NAP protection that you want in your environment, this can be something relatively easy or something complex. - The hard part in getting NAP to work in SCCM 2007 is