Friday 14 November 2014

Deployment Monitoring Tool in SCCM 2012 Toolkit

Deployment Monitoring Tool in SCCM 2012 Toolkit


Deployment Monitor Tool (DeploymentMonitoringTool.exe) is new addition to SCCM  2012 Toolkit. This Tool is a graphical user interface designed to assist in troubleshooting applications, updates and baseline deployments.







 The use of this tools comes with below features.
1.        Actions
2.        Client Properties
3.        Deployments
4.        All Updates






Deployment Monitoring Tool MUST be run as administrator.

Through actions menu you can perform the following task
(a) Connect to A remote Computer, 
(b) Import and Export XML files of a system for further troubleshooting
 (c) Review the log files depending upon which TAB are selected. For Example if it is  Application and Baseline Deployments Tab –> PolicyAgent.log:, Update Deployments –> updatesDeployment.log and All Updates Tab –> WindowsUpdate.log:


Ø  Client Properties
Client Properties tab will help us to get all the client details. The following information is very helpful at the time of troubleshooting. Client Logs Directory, ccmexec service Status,  Service Window (maintenance window) status, Proxy MP, Resident MP details, WSUS Locations, Update Sources, Last Policy refresh Cycle,Assigned MP, Site Code, Client Approved status and certificate information.



Ø  Deployments
Deployments tab will help us to list down the details of each targeted deployments.
 This will provide us more details of the deployments like Name, Deadline, State,Type and ID.
For example, in the following pic, you can see the deployed application is OPTIONAL, state of deployment is APP_CI_ASSIGNMENT_EVALUATION, Deployment ID and Deployment Type is Application. However, if you look at other two deployments, you can see that one is Software Update and other one is mandatory application deployment with a deadline.
We will get in depth characteristics of selected deployment in the bottom of the tool.


 Information which can be fetched are as under. These details are very very helpful at the time of troubleshooting.

1.        AssignmentAction,
2.        DisableMomAlerts,NotifyUser,
3.        SuppressReboot,
4.        OverrideServiceWindows,
5.        RaiseMomAlertOnFailure,
6.        StartTime, StartTime,
7.        Target,
8.        RebootOutsideOfServiceWindows,
9.        UserUIExperience, 
10.     DeploymentType,


We can retrive in-depth details about selected deployment at the bottom (each and every details that you’ve specified at the time of creation of new application). For example – Properties (as mentioned above), Policy, Evaluation, Content, Enforcement, Reporting and Requirement Violations.


Ø  All Updates
All updates tab will provide the details about all the required updates along with their status.
Article ID, Bulletin, Status, Title, Unique ID, Scan Time, Source Version and Source Unique ID





Thursday 6 November 2014

Managing workgroup clients in SCCM 2012

Managing workgroup clients in SCCM 2012
The Server Locator Point is no more a separate site system role in SCCM 2012. It's functionality is merged into the Management Point.
To install CM12 client on workgroup machines: 
  1. Make sure that the Management Point is published on DNS or WINS
  1. Make sure Management Point FQDN can be resolved from the client machine
  1. For the client installation on Workgroup machines use the CCMSetup.exe  with local Administrator previledge
CCMSetup.exe and its supporting files are located on the System Center 2012 Configuration Manager site server in the Client folder of the System Center 2012 Configuration Manager installation folder. This folder is shared to the network as <Site Server Name>\SMS_<Site Code>\Client.

At the command prompt, the CCMSetup.exe command uses the following format:
CCMSetup.exe [Ccmsetup properties] [client.msi setup properties]

For example, CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=S01 FSP=SMSFSP01 which performs the following actions:

Specifies the management point named SMSMP01 to request a list of distribution points to download the client installation source files.
Specifies that installation should stop if a version of the System Center 2012 Configuration Manager or Configuration Manager 2007 client already exists on the computer.
Instructs client.msi to assign the client to the site code S01.
Instructs client.msi to use the fallback status point named SMSFP01. 

    4. In a scenario where we haven't published Management Point to Active Directory but want to manage domain clients with SCCM 2012, you can use Client push installation method with additional properties for client.msi (make sure 
Management Point is published on DNS or WINS and Management Point FQDN can be resolved from the client machine)


           SMSSITECODE=XYZ SMSMP=SCCM2012.domain.com FSP=SMSFSP01 DNSSUFFIX=domain.com


Thursday 28 August 2014

Role Based Administration in SCCM 2012

Role Based Administration in SCCM 2012
In SCCM 2007, implementing granular security in System Center Configuration Manager was a bit of a unlikable task. To get really granular meant architecting the SCCM environment into multiple primary sites or creating custom consoles for specific classes of administrators

In SCCM 2007, administrative access to site resources is controlled by using class and instance security settings which ware verified by the SMS Provider computer to allow access to site information and configuration settings.

SCCM 2012 Configuration Manager introduces role-based administration to centrally define and manage hierarchy-wide security access settings for all sites and site settings. Instead of using individual class rights, role-based administration uses security roles to group typical administrative tasks that are assigned to multiple administrative users. Security scopes replace individual instance rights per object to group the permissions that are applied to site objects. The combination of security roles, security scopes, and collections allow you to segregate the administrative assignments that meet your organization requirements and this combination defines what an administrative user can view and manage in the Configuration Manager hierarchy.

Role-based administration provides the following benefits:
·         Sites are no longer administrative boundaries. Which was there in SCCM 2007.
·         We can create administrative users for the hierarchy and assign security to them one time only.
·         All security assignments are replicated and available throughout the hierarchy.
·         There are built-in security roles to assign the typical administration tasks and we can create our own custom security roles.
·         Administrative users see only the objects that they have permissions to manage.
Listed are the  default built-in roles provided in SCCM 2012:


Role
Description
Application Administrator
Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, and edit settings for user device affinity.
Application Author
Grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages.
Application Deployment Manager
Grants permissions to deploy applications.  Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, and conditional delivery rules.
Asset Manager
Grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.
Compliance Settings Manager
Grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.
Endpoint Protection Manager
Grants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.
Full Administrator
Grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.
Infrastructure Administrator
Grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.
Operating System Deployment Manager
Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.
Operations Administrator
Grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.
Read-Only Analyst
Grants permissions to view all Configuration Manager objects.
Remote Tools Operator
Grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.
Security Administrator
Grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.
Software Update Manager
Grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).

A simplified logical design diagram which layers the key concepts in Role Based Administration

Role Based Administration  provides a security model that provides the ability to assign and manage administrative permissions - Delegation. RBA is accomplished by using Security Roles, Security Scopes and Collections in Configuration Manager 2012. This controls Who, How, What, Which and Where Administrative tasks can be performed.

Implementing a custom security role

In SCCM 2012 console, click on Administration and expand Security, click on Security Roles. The 14 built-in roles can be seen here.


We want to create a custom security role to allow users assigned to that role to read Software Update Reports. As there is no option to create a blank new role, we will have to use the Copy function to create our new security role. Select the built-in Software Updates Manager role, right click and choose Copy.






We will have to expand any permission not required and change it from YES to NO ( double click on each one to change). For example, expand the Alerts permissions and set them all to NO as none of these permissions is required to read reports.



Configure the Permissions so the only the following are set to Yes
·         Site: Read
·         Software Updates: Read, Run Report


Click OK when done, the custom SUM Reports Reader role should now appears in our console.






Wednesday 20 August 2014

Installing Application Catalog Web Site Roles

Installing Application Catalog Web Site Roles

The Application Catalog and Software Center

In SCCM 2012 Application Catalog is a website where users can browse for and request software. To use the Application Catalog, Application Catalog web service point and the Application Catalog website point are the two role needed to be installed for the site.

Software Center is an application that is installed when SCCM 2012 client is installed on Windows-based computers. Users run this application to request software and manage the software that is deployed to them by using Configuration Manager.  The Application Catalog is the user’s gateway to the available applications that user’s  can install while Software Center helps the user track the status of available and required software, and lets users configure various options, such as their business hours to prevent their computer from restarting during their working day.
Software Center lets users do the following:

  •           Browse for and install software from the Application Catalog.
  •       View their software request history.
  •             Configure when Configuration Manager can install software on their devices.
  •       Configure access settings for remote control, if an administrative user enabled remote control.

Adding the Application Catalog Web Site Roles

 In Administration, click on Servers and Site System Roles and right click on our Site Server, choose Add Site System Roles. 


Provide the SCCM site server name and click next at the wizard general screen

Select both of the Application Catalog roles
·         Application catalog web service point
·         Application catalog website point


Confirm your Application Catalog Web service point selections.  Although it takes its default web site and web application name as CMApplicationCatalogSVC.


And the Application Catalog Website Point settings should be



 Provide Organization name and pick a Colour scheme for the Application Catalog  J


In the summery screen we can even go through the information provided


click next through the summary and progress screens, verify everything at the completion screen.


We can even track and check the installation status from SMSPORTAL WEBSetup.log



In the log entry search for portlweb.msi exited with return code: 0 which resembles to successful installation