Monday, October 29, 2012

System Center 2012 Endpoint Protection (part 2)

Last time I wrote a blogpost about System Center 2012 Endpoint Protection (SCEP) functionality. I mentioned the installation/configuration and deploying SCEP agents. This time the SCEP series continues with deploying antimalware policies and definition updates. With a SCEP agent installed it's time to manage them with antimalware policies, and make sure definition updates will be installed every 8 hours (if available).

Beneath "Assets and Compliance" there's a folder for creating and managing Antimalware and Windows Firewall policies. Looking at antimalware policies there is a Default Client Antimalware Policy. Just leave it at default settings and create a new policy. Just rightclick and choose "Create Antimalware Policy" or "Import". In my case I'm using Import, and choose default policies for all type of servers being used. That way most values and exclusions are set by default, which can save you a lot of configuration time.
Nice thing is you can merge multiple policies to one single policy now. That functionality wasn't available in the earlier Forefront Endpoint Protection (FEP) 2010 release. When importing (for example) both Domain Controller, DNS Server and DHCP Server policies, you can merge them to one single policy when needed. You can select a Base policy and New policy name also. That way it's a lot easier to create new antimalware policies. Just have a look at the screenshot how it looks like.
Another important step is to configure automatic definition updates. In ConfigMgr 2007 with FEP 2010 it was needed to use the "Definition Update Automation Tool" in combination with a Task Scheduler. More about that in the following blogposts HERE and HERE. In ConfigMgr 2012 you can use "Automatic Deployment Rules" for that. Just create a new rule, select Search criteria based on FEP 2010 and deploy it. In my case I deployed it on the "All Desktop and Server Clients" collection. That way all clients with a SCEP agent will automatically receive new updates.

Both antimalware policies and definition updates are in place now!

My next blogpost will be about deploying monitoring, dashboard views and reports. Stay tuned for more!

Monday, October 22, 2012

System Center 2012 Endpoint Protection (part 1)

Last week I installed System Center 2012 Endpoint Protection (SCEP) at my office. SCEP is built on Configuration Manager (ConfigMgr) 2012, creating a single infrastructure for deploying and managing endpoint protection. SCEP uses the same industry-leading antimalware engine as Microsoft Security Essentials and Windows Defender (Windows 8), to protect systems against the latest malware and rootkits. SCEP is previously known as Forefront Endpoint Protection (FEP) 2010.

In this series of blogposts I will mention the installation/configuration and deploying SCEP agents (1), deploying antimalware policies and definition updates (2), monitoring, dashboard views and reports (3).

Let's mention the installation/configuration first.

In ConfigMgr 2007 it was needed to install and integrate FEP 2010 within the ConfigMgr console. More about that HERE. In ConfigMgr 2012 it will be a lot easier than that! Just install the Endpoint Protection point role on your ConfigMgr Site server. That way it will be activated in your environment. No need to create a software package or something like that. This will be created by default also.

Beneath "Assets and Compliance" there will be a folder for creating and managing policies. Beneath "Monitoring" there will be a Dashboard for SCEP 2012 status. In Reports there will be six reports to run. During ConfigMgr 2012 agent install, the CCMSETUP folder will be used for ConfigMgr and SCEP installation. The file SCEPInstall.exe will be download by default also. This file is used for SCEP agent installation.

Normally, SCEP installation is disabled within the ConfigMgr agent policy. Beneath "Administration" there is a Client Settings policy. Just leave it at default settings and create a new Client Settings policy. Within this new policy, enable Endpoint Protection and deploy it on a collection which must have Endpoint Protection. In my case I deployed it on the "All Desktop and Server Clients" collection. That way ALL clients with a ConfigMgr agent will also have SCEP installed automatically.

Both installation/configuration and deploy SCEP agents are done now!

My next blogpost will be about deploying antimalware policies and definition updates. Stay tuned for more!

Thursday, October 18, 2012

ConfigMgr 2012 Component add-ons and Extensions

Last week I installed ConfigMgr 2012 and SCEP again at customer location. It's true that ConfigMgr 2012 has a lot of build-in functionality, but it can be even better. In this blogpost I will mention a few additional Component add-ons and Extensions. Here they are:
ConfigMgr Console Extensions
The ConfigMgr Console Extensions (formerly Right Click Tools) are a set of freeware right-click tools for the Microsoft ConfigMgr 2007/2012 console designed to help make our SCCM administration lives a little easier. The following tools are added to both collections and systems:

  • Trigger Client Action (10x ConfigMgr Policy update)
  • ConfigMgr Client Tools (ConfigMgr Client management)
  • System Tools (Ping, Wake-On-Lan, Reboot, Shutdown, Schedule reboot/shutdown)
  • Trigger Client Action (10x ConfigMgr Policy update)
  • ConfigMgr Client Tools (ConfigMgr Client management)
  • System Tools (Manage Computer, Ping, Wake-On-Lan, RDP to Console, Remote CMD, Connect to C$, System detail, Reboot, Shutdown, Schedule reboot/shutdown)

Nice feature is that Wake-On-Lan (WOL) also support unicast, subnet-directed broadcast, and additional ports now!

Package Conversion Manager (PCM)
The Microsoft System Center 2012 Configuration Manager Package Conversion Manager allows for converting packages and programs into applications and deployment types in System Center Configuration Manager 2012. There is a migration feature which will be released with the Configuration Manager 2012 that allows packages to be migrated from 2007 to 2012.

Once you have migrated your package objects and installed PCM then it is just a matter analyzing your packages in order to determine which readiness state each are in, and then converting those packages that are in the appropriate readiness state.

System Center 2012 Configuration Manager Toolkit
The Microsoft System Center 2012 Configuration Manager Toolkit contains nine downloadable tools to help you manage and troubleshoot Microsoft System Center 2012 Configuration Manager. The following list provides specific information about each tool in the toolkit.
  • Client Spy - A tool that helps you troubleshoot issues related to software distribution, inventory, and software metering on ConfigMgr 2012 clients.
  • Policy Spy - A policy viewer that helps you review and troubleshoot the policy system on ConfigMgr 2012 clients.
  • Security Configuration Wizard Template - The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server 2008 R2 operating system. Security Configuration Wizard determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.
  • Send Schedule Tool - A tool used to trigger a schedule on a client or trigger the evaluation of a specified DCM Baseline. You can trigger a schedule either locally or remotely.
  • Power Viewer Tool – A tool to view the status of power management feature on ConfigMgr 2012 clients.
  • Deployment Monitoring Tool - The Deployment Monitoring Tool is a graphical user interface designed help troubleshoot Applications, Updates, and Baseline deployments on ConfigMgr 2012 clients.
  • Run Metering Summarization Tool - The purpose of this tool is to run the metering summarization task to analyze raw metering data
  • Role-based Administration Modeling and Auditing Tool – This tool helps administrators to model and audit RBA configurations.
  • License Tracking PowerShell Cmdlets - The PowerShell cmdlet “Get-ConfigMgrAccessLicense” is used to get license usage information for all the servers and clients within scope of ConfigMgr 2012. The cmdlet returns a list of licensable features and a list of unique users and devices per unique licensable feature.

Hope you like these tools, which adding additional value to ConfigMgr 2012. ConfigMgr will be even more better this way!

Wednesday, October 17, 2012

No reports available in ConfigMgr 2012 console

ConfigMgr 2012 has reporting functionality build-in, based on SQL Reporting Services (SRS). Today I had a issue that reports aren't available in the ConfigMgr console. What's going wrong here?

When looking at SRS on the SQL Server everything was configured fine. In Reporting Services Configuration Manager a Service Account was set (a domain user, which is a best practice), and the Report Manager URL was displayed fine also. All ConfigMgr reports were displayed here!

First a few captures to display the issue:

A Windows domain user account is configured in RSCM

Starting the Report Manager URL shows no errors..

But no reports are displayed in the ConfigMgr console

Searching on the web I found an recommendation to use the Local system account as SRS Service Account. I changed above configuration from Windows domain user account to a Local system account and it's working again. Strange thing that Microsoft recommends to use a Windows domain user account, but it's not working that way.

The following captures displays the solution:

Configure the Service Account to use Local system in RSCM

After change have a look in the ConfigMgr console again

Nice to have 423 items in Reports again. Just use Local system in SRS Service Account from now on, to pass this issue.

Tuesday, October 16, 2012

Microsoft Surface: Windows RT vs Windows 8 Pro comparison

This week there's a lot of information about Microsoft Surface and Windows RT. But what's Surface and Windows RT actually?

Microsoft Surface
Microsoft Surface is an upcoming series of tablets designed and marketed by Microsoft itself. Microsoft Surface will be available in two versions, Surface and Surface Pro. The Surface model will run Windows RT and use an ARM CPU. The Surface Pro model will run the Windows 8 Pro and use an Intel CPU. More details in the comparison.

Windows RT
Windows RT will be a version of Windows 8 for ARM devices such as tablets. The RT acronym does not officially stand for anything, much like NT or XP in past Windows branding. It will officially only run software available through the Windows Store or included in Windows RT. Among the applications included with Windows RT will be Microsoft Office Word, Excel, PowerPoint, and OneNote 2013 RT.

Windows 8 Pro succeeds Windows 7 Professional and Ultimate and is targeted towards enthusiasts and business users; it includes all the features of Windows 8 and many more.

Microsoft has officially confirmed that it will release its upcoming Surface tablet to coincide with Windows 8 US availability on October 26th. It starts at $499 for the 32GB version, but will not come with the touch-cover. Those who want one, would need to pay $100 more. The 64GB version will cost $699 (with touch-cover included). The touch-cover comes in 5 colors: blue, white, black, pink and red.

I'm very excited about the upcoming Microsoft Surface and Windows Phone 8 releases. Hope you like it also! More information about Surface can be found HERE.

Monday, October 8, 2012

MMS 2013 Dates Announced

Today the final dates for MMS 2013 has been announced:
MMS returns to Las Vegas, NV April 8-12, 2013!
That means the date mentioned on MMS 2012 last year:
June 2013 in New Orléans, isn't valid anymore.

Be one of the first to know when registration opens: sign up to receive MMS news & updates. We hope to see you in Las Vegas in April!

For those who have never been on MMS before:
At Microsoft Management Summit the brightest and most skilled IT professionals from around the world meet to increase their technical expertise through deep hands-on technical training, sharing of best practices, and interaction with innovators and pioneers in desktop and device management and datacenter and cloud technologies.

Expect to have a lot of Microsoft Private Cloud and System Center 2012 (SP1) sessions there!

And yes, I hope to be at MMS next year again! :)

Windows Phone 8 comparison for HTC, Nokia and Samsung phones

Last week I posted a few mobile phone comparisons. One for iOS, Android and Windows Phone, and one for Nokia Lumia phones. This time I want to post an Windows Phone 8 comparison for HTC, Nokia and Samsung phones. As for now Google's Android and Apple's iOS are most popular, accounted for 85% of all smartphones shipped in Q2 2012. Microsoft's Windows Phone 7 made gains, but BlackBerry OS and Symbian lost ground. It's time for Microsoft now to make a big step towards Google and Apple, with Windows Phone 8.

At the moment both HTC, Nokia and Samsung announced mobiles Phones for Windows Phone 8. Searching on the web I found a good comparison which includes them all. Here it is:

Nice to see all Windows 8 phones in one overview, don't you think? The HTC 8X, Lumia 920 and ATIV S are the high-end Windows 8 devices. The HTC 8S and Lumia 820 are mid-level devices. A comparison by size can also be found on the web. Here it is:

Now we must wait another month (till November) for release and pricing. Can't wait to have a Windows 8 phone myself! :)

Nokia Lumia 920 vs Lumia 820 comparison

AT&T announces last week the Nokia Lumia 920 is exclusive, and will be launced in November with the Lumia 820. The Lumia 920 will be available on AT&T exclusively according to the carrier. This in red, black and white colors, and through online orders in yellow and cyan colors. The Nokia Lumia 820 will be available in black only, but AT&T will stock additional colored shells. There's no word on pricing or exact availability for both models, but AT&T says they'll be available in November.
Nokia Lumia 820 press pictures (all colors):

Nokia Lumia 920 press pictures (all colors):  

And pictures from the Cyan version too: 

Searching on the web I found a comparison for Nokia Lumia 920 vs Lumia 820 with Windows Phone 8. Here it is:

In Europe the pricing will probably be 649 euro (Lumia 920) and 499 euro (Lumia 820) at Vodafone, T-Mobile and O2/Telefonica. More on this later when final pricing is available.

Update 8-1-2013: The Nokia devices are available for pre-order in The Netherlands.  The final pricing will be 599 euro (Lumia 920) and 499 euro (Lumia 820). The Lumia 620 will be just 259 euro. Nice to see that the Lumia 920 will be priced 50 euro less then expected!

Update: Have a look at Nokia Lumia 620 specifications also.

Thursday, October 4, 2012

Mobile phone comparison for iOS, Android and Windows Phone

Within a few months it's time to order a new mobile phone again. At the moment I have a cheap Samsung Galaxy Ace phone with Android installed on it. Not that Android isn't good, but the Operating System performs pretty bad on it. It crashes all the time and it's very slow. Also there's too little free memory available on it to install a lot of apps. Time to have a good comparison now, and don't order a phone quick because a lot of colleagues have ordered it also :) Let's have a look.
At the moment the most popular phones are: 
  • Apple iPhone 5 (iOS 6)
  • Samsung Galaxy S III / HTC One X (Android 4.0)
  • Nokia Lumia 920 (Windows Phone 8)

These high end mobile phones are all really fast and have enough free memory available on it too install a lot of apps. Searching on the web I found a ultimate comparison, for the most popular phones including BlackBerry 10 (without specifications). Here it is:

There's also another comparison which contains the most popular phones, except the HTC One X is missing. Nice to see that the Nokia Lumia 920 has wireless charging built-in. Here it is:

Based on above comparison(s) and other news I found on the web, I'm very curious about the Nokia Lumia 920. It will be available November 2012 in Europe, so it's not yet available at the moment. It's time for a change and Windows Phone 8 is most likely the winning one for me! Question is, will it be the black, white, grey, yellow or red one :)
Expect more on this topic soon!

Tuesday, October 2, 2012

Unknown computer bug in ConfigMgr 2012

When re-deploying an already deployed system with ConfigMgr 2012, an error message is sometimes displayed: "Failed to Run task sequence, There are no task sequences available for this computer". This because the system is already available in the ConfigMgr console as a "unknown" system. Because of that the "All Unknown Computers" deployment isn't used and a deployment on a known computers collection isn't used also. This because in system properties: "Unknown Computer = 1" is detected. No way to install this system again!?

As a workaround it's possible to delete the created object in ConfigMgr collections to re-deploy a system again. After deleting the system(s) the error message: "Failed to Run task sequence, There are no task sequences available for this computer" will be gone. Unfortunately after re-deployment the same thing happens again, so it's no real solution to this problem. Another solution to resolve this is mentioned HERE. It says: Add a query rule to the Collection that grabs new computers where the System Resource “Unknown Computer” property = “1”.

I tried that solution myself also, but it don't seems to work either. A "Unknown Computer Bug Update" can be found HERE. It mentions: 
"The final response back from Microsoft via Connect was that this would be submitted to the Product Group as a Design Change Request". Hope it will be solved soon! Strange enough I don't have this issue at all ConfigMgr 2012 implementations? Anyone?

Update: For it seems this is only a problem when working with workgroup systems. When working with domain members there isn't any error message. That explaines why I haven't see this problem before.

Update 16-6: Unchecking "Unknown Computer Support" on the DP/PXE in question restarting the executive on the Primary and then reselecting "Unknown Computer Support" on the DP/PXE in question and restarting the executive resolves this issue. The problem you're running into is an corrupt policy on the MP. By Unchecking the option mentioned this will create a new policy and your unknown systems should pick up the TS when in WinPE.