MMS 2007 Day 3 (28 March)

This morning's keynote was presented y Kirill Tatarinov, Corporate Vice President, Windows Enterprise Management Division.  He continued the DSI discussion and the idea of System Center as "ERP for IT" - embedded knowledge, model-based policy and automation.  He announced SCCM 2007 integration with Intel Active Management Technology (AMT).  Bill Anderson did a demo of DCM, creating a collection based on DCM non-compliance to which he advertised a MSI repair program.  So any system that falls out of compliance with that MSI install is automatically repaired. 

Rakesh Malhotra, Group Program Manager, Virtual Manager, demo'd System Center Virtual Machine Manager 2007 Beta 2.  He created a new VM from a template and showed that regardless of the physical hardware you can choose from a long list of virtual processor types.  The list of available hosts is rated (0-5 stars) to choose the best location for the new VM.  SCVMM Console is built on PowerShell commandlets, thus it is easy to automate tasks for bulk processing.  From inside SCOM he was able to quickly migrate a VM with disk IO issues to a new host which cleared the disk warning.  Very slick.

Kirill talked about System Center Service Manager which will provide incident and problem maangement, change management and asset lifecycle management.  Beta 1 should be available in about 45 days and should RTM in H1 CY 2008.  He made the comment, "the space is dominated by dinosaurs from the last century."  Ken Van Hyning, Group Program Manager, Operations and Service Management, demo'd the product.  The SCSM self-service portal is built on SharePoint.  He showed how users can request software: they are presented with a list of software available to that user, local or virtual, approval required or not.  A software request that requires approval generates a service request and an e-mail to the user's manager.  They've created a System Center gadget for Vista that shows open requests (very cool!).  SCCM Asset Intelligence flows into SCSM.  He then went in as a manager-role and approved the requested software (virtual).  The icon appeared on the desktop in less than a minute.

The first session of the day was SCCM 2007 Deployment: Part 2.  Dave walked through the SCCM installation process.  The Site Server Signing Certificate is used to sign policies so that clients know they are receiving policy from the correct server.  During setup, choosing native mode requires selecting a site server signing certificate that is already installed on the system.  This must be done before you can continue with setup in native mode.  In mixed mode only HTTP is available, but a custom port can be provided.

UI validation in wizards shows a white exclamation point (!) in a red circle if the field has a problem.  "Retrieve all data from this site system" is the option to configure the push or pull option during site system creation.  SCCM setup with process notification is not serial (some tasks happen in parallel).  SLP and FSP are insecure site systems which might be a good reason to physically separate them from other roles.

OU-based site assignment via group policy (.ADM template) works for new clients as well as reassigning clients!  SUP (WSUS) and GP client deployments are recommended.  Aside from existing Client Push Installation SCCM adds a new Client Installation Method: SUP Client Installation.  Confiure Windows Update group policy as well as Client Installation template (with CCMSetup parameters).  Similar for GP deployment: assign CCMSetup.msi, then the client receives the parameters from policy.

ConfigMgr 2009 is the next version.

The next session was SCCM 2007: Deploying Software Updates.  The session was sort of split in half with the first presented by Marc Umeno, Program Manager, SCCM, and the second by Bryan Keller, Program Manager, SCCM. There is now just one scan agent and one catalog with full Microsoft Update and available third-party content. It no longer relies on hardware inventory but uses state messages. Clients selectively download required binaries instead of the whole package. Marc had two excellent slides on SUM architecture and client functionality. In the console you can now drag-and-drop updates from the repository to the deployment template to launch the DSUW, which is now only about 5 pages instead of 17 to click through.

There are 24 new SUM reports on compliance, deployment and troubleshooting.

One side-note: Vista Restart Manager. Scenario: a user has open Office 2007 applications (which are written to use VRM) and locks the workstation at the end of the day. Updates are scheduled with a deadline for that night so the system installs the updates and then restarts. Once it comes back up the applications return to the exact same state (I'm guessing after the user logs on...?).

For custom updates instead of the SMS administrator using software distribution for application update the application owner can easily create a custom catalog for scanning and installation. Corporate Publishing XML for authoring custom updates in System Center Updates Publisher.

After lunch I attended a smaller but great session, WSUS 3.0 Overview presented by Craig Marl, Program Manager, WSUS. WSUS 3.0 will be an in-place upgrade, everything will be migrated. Not the headache of SUS to WSUS upgrades. Client will update to the new version on first contact with the new server. WSUS 2 downstream server can sync with a v3 parent. Upgrades should be done top-down.

There is a new out-of-box experience (configuration wizard) for the initial setup. Among other things it allows for an initial mini-synchronization with Microsoft Updates for the products and classifications to allow you to select the features and then does the full synchronization. There is a new Microsoft Update Improvement Program that allows for the entire customer hierarchy to bubble up update information (count, success rate) to MU. The default install uses the server language instead of all available languages. It can be configured to sync with MU more regularly than daily (e.g., hourly). The console is now a MMC to provide a richer experience and more features (e.g., host multiple servers in one console). You can now report on multiple updates, and e-mail notification is built-in. There are new replica options and auto-approval is more granular. Nested group targeting is available as well as overlapping group membership (approval takes precedence). The idea of "approve for detection" is gone, updates are now always detected. With the MMC comes features like add (e.g., MSRC, classification), sort and resize columns. Can group (like in Outlook) and can approve in bulk. View customizations can be applied to all views, and custom views can be created (using rules like in Outlook). There is a Downstream Servers node in the console to see them from the parent. A personalization option allows admins to turn off To Do List items (like "SSL not enabled"). A per-server Server Cleanup Wizard can purge expired or superceded updates, orphaned clients, etc. Not schedulable in the UI, but can via CLI.

There is a 50% improvement in reporting performance and the initial sync time is down from ~90 minutes to ~20 minutes. NLB + SQL cluster backend is now supported for high-availability. There is also a MOM/SCOM management pack. Reports can be printed or saved to Excel or PDF. Reporting data is rolled up to the central site and there is also a new read-only "Reporters" user role (yay!). Some read-only SQL Views are also now available. Lightweight hardware and software inventorying is available, though turned off by default. Even when enabled the information is not viewable in the console UI but accessed through reporting against the SQL Views.

WSUS 3.0 is expected to RTM H1 2007 (by June if not before).

The last session I attended today was SCCM 2007 Deploying Windows in the Enterprise, Part 1 with Michael Kelley, Lead Program Manager, SCCM. SCCM Operating System Deployment (OSD) is about zero-touch and automation. It's not just installing the OS but focused on complete, end-to-end OS deployment. Available deployment scenarios include new machine, wipe-and-load (preserve user state), side-by-side (new hardware, migrate user state), in-place migration/upgrade, offline with removeable media, and PXE boot/self-provisioning. The OS package contains the WIM image but no programs as before; images are deployed via task sequences. A boot image is a package containing WinPE 2.0 (no support for WinPE 2004 or WinPE 2005), which can be customized with the standard Vista/Longhorn tools. OSD also provides for setup.exe-based installation from media (not an image). In the RC build binary delta replication will be enabled by default for OS packages. Search and Organization folders are supported in the OSD node. 

Task sequences are policy from the MP and can't be done to Internet clients. Three basic stages: old OS, WinPE, and new OS. Task sequences can be used for generic sequencing, i.e., OS deployment can technically be removed from a task (just deploy tasks for application installation/configuration). They always run under the System context. Task sequences are advertised to collections per the normal procedure that show under Software Distribution - Advertisements. Each step/task generates a status message (not state) to preserve the time history. The SCCM client does not need to be pre-installed in the image as it is now typically installed immediately following mini-setup. An 32bit boot image can be used to deploy an 64bit image. Task sequences have "Continue-on-error" logic which can get complicated with how it is handled at the group level. Task sequences can be exported to XML which is a good way to examine the details to see what's happening behind the scenes.

Task sequences can utilize parameters that pull from collection or computer-specific variables. These are similar to Windows environment variables, e.g., %varname%. Precedence can be set for collection variables to handle conflicts; computer variables take precedence. Predefined variables are available from the underlying task sequencing engine, e.g., _SMSISInWinPE. These variables can also easily be accessed by external scripts through a COM object. Task sequences are secured in the database, in transit to the client, as well as on the client so credentials, product keys, etc., can be used safely.

Task sequence jumping (condition fails) still generates status messages from the skipped tasks. Task failure status messages also include the last 1024 bytes from stderr and stdout. When troubleshooting, start with the built-in reports. All three stages on the client log to ccmlogs\smsts.log. Finally use the WinPE boot shell (F8) to further investigate.