The following questions are the result of yesterday’s self-proclaimed game of “stump the chump” with myself playing the chump in a room full of IT folks (who had some excellent questions on Configuration Manager and Operations Manager). The responses below are from my colleagues who stepped up to provide answers to these questions including:
Configuration Manager 2012:
Q: What changes have been made to patch management in Configuration Manager 2012 to simplify the process to deploy patches?
A: [Chris Nackers] The process has been simplified to search for updates, create a group, deploy that group of updates
A: [David Jaffe] Automatic Deployment rules. E.g. Endpoint Protection definitions can be automatically downloaded, synced with DPS, and deployed to clients. Can decrease deployment of items like security updates through reducing the clicks to approve and deploy patches.
Q: What changes have been made to the Remote Control Tools in Configuration Manager 2012?
A: [Chris Nackers] Golden key is back (CTR_ALT_DEL) when a user is not present, otherwise we use RDP and RA same as before. Additional reference:
A: [Marty List]
· Remote control now supports sending the CTRL+ALT+DEL command to computers.
· You can apply different remote control settings to collections of computers by using client settings.
· You can lock the keyboard and mouse of the computer that is being administered during a remote control session.
· The copy and paste functionality between the host computer and the computer that is being administered has been improved.
· If the remote control network connection is disconnected, the desktop of the computer that is being administered will be locked.
· You can start the remote control viewer from the Windows Start menu.
· Remote control client settings can automatically configure the Windows Firewall on client computers to allow remote control to operate.
· Remote control supports connecting to computers with multiple monitors.
· A high visibility notification bar is visible on client computers to inform the user that a remote control session is active.
· By default, members of the local Administrators group are granted the Remote Control permission as a client setting.
· The account name of the administrative user who starts the remote control session is automatically displayed to users during the remote control session. This display helps users to verify who is connecting to their computer.
· If Kerberos authentication fails when you make a remote control connection to a computer, you are prompted to confirm that you want to continue before Configuration Manager falls back to using the less secure authentication method of NTLM.
· Only TCP port 2701 is required for remote control packets; ports TCP 2702 and TCP 135 are no longer used.
· Responsiveness for low-bandwidth connections supports the following improvements:
o Elimination of mouse trails by using single mouse cursor design.
o Full support for Windows Aero.
o Elimination of mirror driver.
Q: Does Configuration Manager 2012 have a web-based version of the Configuration Manager 2012 console?
A: [Chris Nackers] Not that I’m aware of
A: [Marty List] Not that I know of
A: [David Jaffe] No. However, they did add a portal for basic software requests and one level work flow approval.
Q: What is the difference between a secondary site and a distribution point and why would we want to use them?
A: [Chris Nackers] Secondary site allows for a proxy MP, with 2012, we can finally throttle on a standard DP
A: [David Jaffe] DPs do offer throttling and holds the PXE option. The only reason for a Secondary is to keep client traffic (policy check, heartbeat, and inventory) local and then throttle\compress client traffic upstream to Primary. Deciding between a DP and SS is a discussion based on WAN bandwidth and number of clients. For details see the links below. As a side note. ConfigMgr 2012 will install and configure IIS and WDS when deploying remote DPs!
Decent link on changes below. Confirms DP throttling.
Wally concurs on the DP throttling change.
Q: Is it true that reports can only be run from the CAS or can they be run in other locations (such as a European based primary site)
A: [David Jaffe] CAS is used for centrally managing patching and asset management reporting. You cannot push software or policy. You can assign the Reporting role on a primary and pull reports from just that Primary clients. Also, a CAS is required if you want more than two Primary sites to communicate.
Q: Is there a power shell provider in ConfigMgr 2012
A: [Marty List] No, but almost everything can be accessed via WMI in PowerShell scripts
Q: Is there a way to integrate bar code information into the Configuration Manager database?
A: [Chris Nackers] I would never recommend adding ANYTHING to the configmgr DB, can you create a separate DB and then combine information, yes
A: [David Jaffe] I agree with Chris Nackers….almost. Do NOT change or modify the MS tables or columns. If you must add info to the Configmgr DB, the supported method is to create your own tables. MS still reserves the right to wipe the table so make sure to back up the DB before applying patches or service packs.
Q: Is there any information available on what level of SQL traffic to expect over the WAN with the new SQL Replication changes and is the traffic encrypted?
A: [David Jaffe] I have found no specifics on this so far. However, the MS reason for using SQL replication is to reduce data size and make replication more reliable.
Q: What UI improvements are there for OSD?
A: [Chris Nackers] For OSD we simplified the PXE service point, added the ability to patch the images offline, and added support for the new app model and UDA, otherwise no major changes to OSD… there is no user interface as OSD is zero-touch by default, that hasn’t changed, unless you are using MDT 2012/UDI
Operations Manager 2012: (note, there are only two times they stumped me in OpsMgr versus the ConfigMgr beating above)
Q: Can Operations Manager monitor devices via UDP or only via TCP and ping?
A: [Terry Taylor] As for UDP… UDP is connectionless, no Ack – just send it and forgot about it. So to monitor UDP, are we looking for OM to be the originator or the receiver? It sounds like the real question is “How can I make sure I can TFTP to my network devices?”
A: [Cameron Fuller] While I agree that UDP is connectionless and that would be a challenge to test, I see the worst case if the goal is to validate the ability to connect to something remotely via UDP a script can be written which performs the test and returns either a success or failure event which can then be captured by a monitor which alerts when the state changes
Q: Does Operations Manager network monitoring do gathering for information from network devices like device serial numbers?
A: [Terry Taylor] In OM 2007 (with xSNMP), it doesn’t appear that serial number is being discovered …(not sure how much this translates to OM 2012) I would guess that they might be looking for the serial number on the Chassis. I did some quick searching and it looks like for CISCO devices there is an “SNMP get” that will return the serial number, but I don’t know how well that translates across vendors.
A: [Cameron Fuller] I have not seen any documentation which indicates that the serial number for network devices will be gathered in OpsMgr 2012 with the built-in network monitoring functionality. In OpsMgr 2012 the information looks similar as shown below: (subset of graphic from http://4sysops.com/archives/scom-2012-review-part-5-network-monitoring/)
That being said however, using an alteration to the xSNMP management pack example shown by Terry I expect that this could be added to OpsMgr. For most of the frequently asked questions by network administrators for OpsMgr functionality I recommend this article: http://derek858.blogspot.com/2011/05/sim354-systems-center-operations.html
I owe a huge thank you to all of the folks who contributed to answering these questions on ConfigMgr 2012 and OpsMgr 2012!