Role Based Administration in SCCM 2012

Role Based Administration in SCCM 2012

In SCCM 2007, implementing granular security in System Center Configuration Manager was a bit of a unlikable task. To get really granular meant architecting the SCCM environment into multiple primary sites or creating custom consoles for specific classes of administrators

In SCCM 2007, administrative access to site resources is controlled by using class and instance security settings which ware verified by the SMS Provider computer to allow access to site information and configuration settings.

SCCM 2012 Configuration Manager introduces role-based administration to centrally define and manage hierarchy-wide security access settings for all sites and site settings. Instead of using individual class rights, role-based administration uses security roles to group typical administrative tasks that are assigned to multiple administrative users. Security scopes replace individual instance rights per object to group the permissions that are applied to site objects. The combination of security roles, security scopes, and collections allow you to segregate the administrative assignments that meet your organization requirements and this combination defines what an administrative user can view and manage in the Configuration Manager hierarchy.

Role-based administration provides the following benefits:

·         Sites are no longer administrative boundaries. Which was there in SCCM 2007.

·         We can create administrative users for the hierarchy and assign security to them one time only.

·         All security assignments are replicated and available throughout the hierarchy.

·         There are built-in security roles to assign the typical administration tasks and we can create our own custom security roles.

·         Administrative users see only the objects that they have permissions to manage.

Listed are the  default built-in roles provided in SCCM 2012:

Role	Description
Application Administrator	Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, and edit settings for user device affinity.
Application Author	Grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages.
Application Deployment Manager	Grants permissions to deploy applications.  Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, and conditional delivery rules.
Asset Manager	Grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.
Compliance Settings Manager	Grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.
Endpoint Protection Manager	Grants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.
Full Administrator	Grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.
Infrastructure Administrator	Grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.
Operating System Deployment Manager	Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.
Operations Administrator	Grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.
Read-Only Analyst	Grants permissions to view all Configuration Manager objects.
Remote Tools Operator	Grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.
Security Administrator	Grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.
Software Update Manager	Grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).

A simplified logical design diagram which layers the key concepts in Role Based Administration

Role Based Administration  provides a security model that provides the ability to assign and manage administrative permissions - Delegation. RBA is accomplished by using Security Roles, Security Scopes and Collections in Configuration Manager 2012. This controls Who, How, What, Which and Where Administrative tasks can be performed.

Implementing a custom security role

In SCCM 2012 console, click on Administration and expand Security, click on Security Roles. The 14 built-in roles can be seen here.

We want to create a custom security role to allow users assigned to that role to read Software Update Reports. As there is no option to create a blank new role, we will have to use the Copy function to create our new security role. Select the built-in Software Updates Manager role, right click and choose Copy.

We will have to expand any permission not required and change it from YES to NO ( double click on each one to change). For example, expand the Alerts permissions and set them all to NO as none of these permissions is required to read reports.

Configure the Permissions so the only the following are set to Yes

·         Site: Read

·         Software Updates: Read, Run Report

Click OK when done, the custom SUM Reports Reader role should now appears in our console.

Installing Application Catalog Web Site Roles

Installing Application Catalog Web Site Roles

The Application Catalog and Software Center

In SCCM 2012 Application Catalog is a website where users can browse for and request software. To use the Application Catalog, Application Catalog web service point and the Application Catalog website point are the two role needed to be installed for the site.

Software Center is an application that is installed when SCCM 2012 client is installed on Windows-based computers. Users run this application to request software and manage the software that is deployed to them by using Configuration Manager.  The Application Catalog is the user’s gateway to the available applications that user’s  can install while Software Center helps the user track the status of available and required software, and lets users configure various options, such as their business hours to prevent their computer from restarting during their working day.
Software Center lets users do the following:

•           Browse for and install software from the Application Catalog.
•       View their software request history.
•             Configure when Configuration Manager can install software on their devices.
•       Configure access settings for remote control, if an administrative user enabled remote control.

Adding the Application Catalog Web Site Roles

 In Administration, click on Servers and Site System Roles and right click on our Site Server, choose Add Site System Roles. 

Provide the SCCM site server name and click next at the wizard general screen

Select both of the Application Catalog roles

·         Application catalog web service point

·         Application catalog website point

Confirm your Application Catalog Web service point selections.  Although it takes its default web site and web application name as CMApplicationCatalogSVC.

And the Application Catalog Website Point settings should be

 Provide Organization name and pick a Colour scheme for the Application Catalog  J

In the summery screen we can even go through the information provided

click next through the summary and progress screens, verify everything at the completion screen.

We can even track and check the installation status from SMSPORTAL WEBSetup.log

In the log entry search for portlweb.msi exited with return code: 0 which resembles to successful installation

Adding Windows 7 x64 operating system image in SCCM 2012

Adding Windows 7 x64 operating system image in SCCM 2012

In SCCM 2012 console, select Software Library and expand Operating Systems, click on Operating System Installers and choose add operating system installer from the ribbon (alternatively right click to get the same option)

Browse to the UNC path where the extracted contents of your Windows 7 X64 Enterprise ISO (I extracted mine and  copied it to \\sccm2012\Packages\Win7  and click next

Fill in some general info about the image

We can review the information provided while adding image in the summary page

Click next and complete the wizard

How to enable PXE Supports for Clients in SCCM 2012

How to enable PXE Supports for Clients in SCCM 2012

In the SCCM 2012 console, click on Administration, Site Configuration, Servers and Site System Roles, and double click on the Distribution Point role listed or right click and select properties, select the PXE tab and place a checkmark in Enable PXE support for Clients, answer Yes when prompted about firewall ports (UDP ports 67, 68, 69 and 4011 ).

Enable all options and click on the Drop down UDA option and set it to Allow User Device Affinity with Automatic Approval

Operating System Deployment in SCCM 2012

Operating System Deployment in SCCM 2012

Operating system deployment with SCCM 2012 provides a tool for creating operating system images so that we can deploy it to computers that are managed by Configuration Manager and deploying unmanaged computers by using bootable media such as a CD set, DVD, or USB flash drives. The operating system image, in a Windows Imaging Format (WIM) format file, contains the required version of a Windows operating system and any line-of-business applications that have to be installed on the computer.

Operating system deployment provides the following functionality:
We can capture an image of the operating system that you want to deploy.
We can capture and restore user state by using the User State Migration Tool (USMT).
We can deploy the operating system image to a collection of computers.

         We can create task sequences that perform multiple actions on a computer at the command-line level that do not require user intervention.

What’s new in SCCM 2012 for Operating System Deployment?

·         Now we can apply Windows Updates by using Component-Based Servicing (CBS) to update the Windows Imaging (.wim) file format images that are stored in the image node of the Software Library.

·         The Task Sequence Media Wizard includes steps to add prestart command files (formerly pre-execution hooks) to pre-staged media, bootable media, and stand-alone media.

·         Configuring  the Task Sequence Media Wizard to suppress the Configuration Manager Boot Media wizard during operating system installation. This configuration enables us  to deploy operating systems without end user intervention.

·         Defining  a deployment in a prestart command which will override the existing deployments to the target computer. Use the SMSTSPreferredAdvertID task sequence variable to configure the task sequence to use the specific Offer ID that defines the conditions for the deployment.

·         Same task sequence media can be used to deploy operating systems to computers anywhere in the hierarchy.

·         The Capture User State task sequence action and the Restore User State task sequence action supports new features from the User State Migration Tool (USMT) version 4.

·         Install Application task sequence action can be used to deploy applications from the Software Library when you deploy an operating system.

·         User device affinity can be defined for a client computer during operating system deployment.

·         The functionality of the PXE service point and its configuration is moved to the distribution point to increase scalability.

·         SCCM 2012 uses the Windows Assessment and Deployment Kit (Windows ADK) instead of Windows Automated Installation Kit (Windows AIK) to deploy an operating system. Before installing SCCM server, Windows ADK need to be installed on the site server and the provider computer.

·         The USMT for Windows 8 is installed while installing Windows ADK. At the top-level site, SCCM setup automatically creates the package for this new version of USMT at the site.

• While installing SCCM it automatically updates default boot images at the site. You must manually update any custom boot images.

The Operating System Deployment Process

SCCM 2012 provides several methods that you can use to deploy an operating system.  In spite of the deployment method that we use, there are several actions that needs to be considered and requires attention. These actions include the following:

·         Considering and taking care of any Windows device drivers that are required to run the boot image or the operating system image that you have to deploy.

·         Implementing the boot image that requires to start the destination computer. SCCM 2012 comes with two default boot images.

·         Capturing an image of the operating system to deploy by using a task sequence.

·         Distributing the boot image, operating system image, and any related content to a distribution point.

·         Creating a task sequence to deploy the boot image and the operating system image.

·         Deploying the task sequence to the collection that contains the destination computer. If there are multiple computers in the collection, the task sequence is deployed to each computer in the collection.

Types of Operating System Deployment

Through SCCM 2012 we can deploy Operating syetem in five different ways

·         PXE initiated deployments

·         Multicast deployments

·         Bootable Media Deployments

·         Stand-alone Media Deployments

·         Pre-staged Media deployments

Pxe Initiated Deployments.

In this method of deployment the operating system image and Windows PE boot image are distributed to the distribution point which is configured to accept PXE boot request. This process permits client computers request for deployment over the network.

Multicast deployments.

This type of deployment conserves  network bandwidth by concurrently sending data to multiple clients instead of sending a copy of the data to each client over a separate connection. In this method of deployment, the operating system image is sent to a distribution point. This in turn deploys the image when client computers request the deployment.

Bootable Media Deployments

Through Bootable media deployments we can deploy  operating system when the destination computer starts. When the destination computer starts, it retrieves the task sequence, the operating system image, and any other required content from the network. Because that content is not included on the media, you can update the content without having to re-create the media

Stand-alone Media Deployments

Through Stand-alone media deployments we can deploy operating systems in two different conditions

1.        In site locations where we cannot copy an operating system image or other large packages over the network.

2.        There is no network connectivity or low bandwidth network connectivity.

Pre-staged Media deployments

Pre-staged media deployments let us to deploy an operating system to a computer that is not fully provisioned. The pre-staged media is a Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not connected to the Configuration Manager environment.

Later, when the computer starts in the System Center 2012 Configuration Manager environment, the computer starts by using the boot image provided by the media, and then connects to the site management point for available task sequences that complete the download process. This method of deployment can reduce network traffic because the boot image and operating system image are already on the destination computer. Starting at Configuration Manager SP1, you can specify applications, packages, and driver packages to include in the pre-staged media.

How to enable Bitlocker using SCCM task sequence for bare metal installation of Windows 7(Using Windows 7 Image)

How to enable Bitlocker using SCCM task sequence for bare metal installation of Windows 7(Using Windows 7 Image)

We can deploy Windows 7 on machines using Windows 7 captured image. We can capture this image using SCCM Build and Capture task sequence.

To enable bitlocker using image we need to create separate partitions in the SCCM task sequence (apart from OS and data partition).

This can be achieve by format and partition task sequence of MDT integrated SCCM task sequence or State migration task sequence.

To enable Bitlocker in windows 7 we require 300 MB partition. So we have to create 300 MB partition and naming it as BOOTPART.

BOOTPART partition should be primary, NTFS and Boot partition. So while making this partition you need to select requires options.

Please select Make this the boot partition check box and check  quick format

Select advanced option and type variable name as BOOTPART

Create a partition  for Operating system drive as per organization policy and make it as a Primary, then select Quick format check box as shown in the screenshot.

Provide partition name and variable name as OSPART for operating system drive.

For data drive create secondary partition and select Partition type as Extended .Then select button for Use percentage of remaining free space and select size as 90%.

Then  create one more partition name as DATA. Select partition type as Logical and size will 100%.

Select quick format and NTFS file system name and advanced option type variable name as DATA

Next step is to apply operating system on proper drive ie. Operating system drives (OSPART).

We can select Apply Operating System Image task of task sequence then browse require image from image location.

At the bottom select location where you want to apply this operating system option. In destination option scroll down and select Logical drive letter stored in a variable option.

In the Variable name box type variable name as OSPART. In this way operating system will be installing on operating system drive.