Microsoft System Center

Configuration Manager: Concepts

and Administration Introduction
Conditions and Terms of Use
Microsoft Confidential

Copyright and Trademarks

© 2016 Microsoft Corporation. All rights reserved.

http://www.microsoft.com/en-us/legal/intellectualproperty/Permissions/default.aspx
 How to View This Presentation
• Switch to the Notes Page view:
o Click View on the ribbon, and then select Notes Page
o Use Page Up or Page Down to navigate
o Zoom in or zoom out as needed
• Most of the slides will have supporting text that you can view now or after the delivery
• You can add notes to your copy of the presentation if you want to
• You can take the presentation files home with you

Microsoft Confidential
Module 01: Introduction to
Configuration Manager

Module Overview

Microsoft Confidential
 Module Overview
This module is an introduction to Microsoft System Center Configuration Manager
(current branch) and contains the following sections:
• Configuration Manager Overview
• Understanding the Configuration Manager Console
• Understanding Configuration Manager Sites and Roles
• Understanding Configuration Manager Clients
• Configuration Manager Features and Capabilities

Microsoft Confidential
Module 01: Introduction to
Configuration Manager

Configuration Manager Overview

Microsoft Confidential
 Configuration Manager Overview
Microsoft System Center Configuration Manager:
• Is an enterprise class system configuration and management tool
• Increases the IT productivity by reducing the manual tasks
• Provides effective management of your assets for the following operating
systems:
• Windows
• Linux
• UNIX
• Mac
• Mobile (iOS, Android, or Windows)

Microsoft Confidential
 Configuration Manager Naming and Support
• Product Name: Microsoft System Center Configuration Manager (current
branch)
• Current branch version numbers are created from the year and month of
release (YYMM), e.g. Configuration Manager 1511.
• Two types of Configuration Manager current branch versions:
• Baseline versions (1511, 1606)
• Update versions (1602, 1606, 1610)
• Each version is supported for twelve (12) months after release
• Two distinct support (or servicing) phases:
• Security and Critical Updates servicing phase
• Security Updates (Only) servicing phase

Microsoft Confidential
Module 01: Introduction to
Configuration Manager

Understanding the Configuration

Manager Console

Microsoft Confidential
 What is the Configuration Manager Console?
The Configuration Manager Console:
• Is used to configure sites and clients
• Is used to run and monitor management tasks
• Uses the System Center UI framework for a common look and feel across all
System Center products
• Can be used to run secondary consoles (Resource Explorer, Remote control)
that provide support for specific client management tasks
• Can be used to restrict access so that Administrators see only the objects that
they have access to
• Provides temporary nodes for easier navigation

Microsoft Confidential
 Workspaces and the Ribbon
• All the tasks are performed within the four workspaces:
• Assets and Compliance
• Software Library
• Monitoring
• Administration

• The ribbon provides context-sensitive access to settings and features

Microsoft Confidential
 Search
• Criteria specific search:
• Node specific
• Global

• Searches can be saved to be used later

Microsoft Confidential
 Temporary Node
• Automatically created as a result of an action in the console
Example: Performing show members on a device collection
• Specific to a single console
• Temporary, will disappear when the console is closed

Microsoft Confidential
Demonstration:
Configuration Manager
Console

Microsoft Confidential
Module 01: Introduction to
Configuration Manager

Understanding Configuration Manager

Sites and Roles

Microsoft Confidential
 Site Server Function
• The central administration site
• Mandatory with multiple primary sites
• Common location for all administrative and reporting activities
• Supports one level of child primary sites
• The primary site
• Standalone or child primary
• Supports secondary sites
• Manages devices and users
• The secondary site
• Extends the primary site
• Compensates for slow network connections

Microsoft Confidential
 Hierarchy
• The hierarchy with a Central Administration Site:
• Contains one Central Administration Site
• Contains one or more primary sites
• Supports secondary sites
• A standalone primary site:
• Does not contain a Central Administration Site
• Contains one primary site
• Supports secondary sites
• Provides an option to expand to a new hierarchy

Microsoft Confidential
 Supported Environments
• On-premises hierarchy installed on physical or virtual servers
• Hierarchy in Microsoft Azure supporting Azure virtual machines
• Hierarchy in Azure supporting Azure and on-premises clients
• On-premises hierarchy supporting Azure and on-premises clients

Microsoft Confidential
 Site System Servers and Roles
• Site system roles expand management operations at each site
• Site system roles can be installed on the site server or on another server to
manage performance
• A site server or site system can host roles for only one site
• Some site roles automatically install, such as:
• Site Server
• Component Server

Microsoft Confidential
 Site System Roles
• Site Server:
• A site server is the system where Configuration Manager is installed
• Provides the core functionality for the site
• Site Database Server:
• A server hosting the Microsoft SQL Server database for the site server
• Component Server:
• Controls the SMS Executive service
• Automatically installed with all the site systems except the distribution point
• SMS Provider:
• Interface between the console and the site database
• Installs through the setup
• Service Connection Point:
• Connects Configuration Manager to Microsoft Intune for mobile device management
• Uploads telemetry data based on the membership level
• Enables you to identify and apply updates to Configuration Manager from the Configuration Manager console

Microsoft Confidential
 Site System Roles
• Management Point (MP):
• Provides policy and service location information to clients
• Receives configuration data from clients
• Distribution Point (DP):
• Contains source files for clients to download
• Application content
• Software packages
• Software updates
• Operating system and boot images
• Controls content distribution by using bandwidth throttling and scheduling options
• State Migration Point (SMP):
• Stores user state data during operating system deployment
• Software Update Point (SUP):
• Integrates with Windows Server Update Services (WSUS)
• Provides software updates to Configuration Manager clients

Microsoft Confidential
 Site System Roles
• Fallback Status Point (FSP):
• Collects fallback status messages during client installation
• Endpoint Protection Point:
• Enables the hierarchy to use System Center Endpoint Protection
• Asset Intelligence Synchronization Point:
• Connects to System Center Online to download the Asset Intelligence catalog information
• Upload uncategorized titles
• Reporting Services Point (RSP):
• Integrates with SQL Server Reporting Services
• Create and manage reports for Configuration Manager

Microsoft Confidential
 Site System Roles
• Application Catalog Web Service Point:
• Provides software information to the Application Catalog website from the Software Library
• Application Catalog Website Point:
• Provides users with a list of available software
• Enrollment Proxy Point:
• Manages enrollment requests from mobile devices and computers running Mac OS
• Enrollment Point:
• Uses Public Key Infrastructure (PKI) certificates to complete the enrollment of mobile devices and computers
running Mac OS
• Certificate Registration Point:
• Provides certificate enrollment for devices that Configuration Manager manages

Microsoft Confidential
Module 01: Introduction to
Configuration Manager

Understanding Configuration Manager

Clients

Microsoft Confidential
 Boundaries
• A boundary:
• Is a network location on the intranet
• Needs to be part of a boundary group

• A boundary is created by using the following:

• An IP range
• An IP subnet
• An Active Directory site
• An IPv6 prefix

Microsoft Confidential
 Boundary Group
• Site assignment:
• Clients join a site based on boundary groups that contain clients’ current network location
• Overlapping is not supported for site assignment
• Supports a fallback site
• Content location:
• Associate DPs and SMPs with one or more boundary groups
• Overlapping is permitted for the content location (DP and SMP)
• Network speed is defined for each site server in a boundary group
• Supports a preferred MP

Microsoft Confidential
 Discovery Methods
• Discovery methods add or update resource records in the database
• Configuration Manager discovery methods:
• Active Directory Forest Discovery
• Active Directory Group Discovery
• Active Directory System Discovery
• Active Directory User Discovery
• Heartbeat Discovery
• Network Discovery
• Delta discovery is supported on:
• Active Directory Group Discovery
• Active Directory System Discovery
• Active Directory User Discovery

Microsoft Confidential
 Client Installation Methods
Depending on the environment and the client, different client installation methods
can be used:

• Client Push • Computer Imaging

• Software Update • Package and Program (Upgrade)
• Group Policy • Automatic Client Upgrade
• Logon Script • Client Update (with test option).
• Manual Installation

Microsoft Confidential
 Client Site Assignment
• Manual site assignment:
• Use a client installation property that specifies the site code
• Specify the site code in Control Panel > Configuration Manager

• Automatic site assignment:

• Based on boundaries

Microsoft Confidential
Module 01: Introduction to
Configuration Manager

Configuration Manager Features and

Capabilities

Microsoft Confidential
 Inventory
• Hardware inventory:
• Queries Windows Management Instrumentation (WMI) for data stored in the WMI or the
registry
• Settings can be customized per site or per collection by using client settings policies
• Hardware inventory classes can be customized by using client settings

• Software inventory:
• Scans hard drives for files
• Can collect copies of files during the software inventory cycle
• Can be customized per site or per collection by using client settings

Microsoft Confidential
 Asset Intelligence
• Provides tools to collect inventory data and to monitor usage of the software
licenses in your organization
• Uses the Asset Intelligence synchronization point to download updated Asset
Intelligence catalogs
• The Asset Intelligence catalog contains categorization and identification
information for over 300,000 software titles and versions

Microsoft Confidential
 Software Metering
• Monitor and collect software usage data from clients
• Generate rules manually or automatically
• Software metering allows to identify:
• Whether users are still running a particular application
• What time of the day the application is most frequently used

Microsoft Confidential
 Remote Control
• Use remote control to remotely administer, provide assistance, or view any
client computer in the hierarchy
• Three ways to connect:
• Remote Control
• Remote Desktop
• Remote Assistance
• Customize the remote control policies for different collections using client
settings

Microsoft Confidential
 Reporting
• Reporting helps you gather, organize, and present information about:
• Users
• Hardware and software inventory
• Software updates
• Applications
• Site status
• Many other Configuration Manager operations
• 477 predefined reports
• Uses SQL Server Reporting Services for a rich authoring experience

Microsoft Confidential
 Internet-Based Client Management (IBCM)
• Allows management of Configuration Manager clients on the Internet when not
connected to the corporate network
• Clients and site servers must have the PKI certificates configured
• Not all features are supported for clients on the Internet

Microsoft Confidential
 Client Settings
• Control the behavior of the user or device settings for Configuration Manager
clients
• Custom settings can be created to change or override the default settings
• Settings are deployed to the target collections

Microsoft Confidential
 Collections
• Collections represent logical groups of resources, either users or devices
• Built by using four different types of rules:
• Direct membership
• Query - WMI Query Language (WQL)
• Include rule
• Exclude rule
• Contains resources from all sites in the hierarchy
• Can be restricted using role-based administration

Microsoft Confidential
 Application Management
• Set of tools and resources to help create, manage, deploy, and monitor applications on
multiple different devices
• Consists of:
• The application model
• Packages and programs
• Deployments can be:
• Required
• Available
• Available with approval
• Users can monitor or install applications through:
• The Application Catalog
• The Software Center

Microsoft Confidential
 Software Update Management
• Provides a set of tools and resources that manage, deploy, and monitor
software updates
• Utilizes Windows Server Update Services (WSUS) to synchronize catalog
metadata
• Contains software update groups to deploy and check for update compliance
• Deployment can be manual or automated, with an automatic deployment rule
• Uses client settings to control the behavior of how the software update
functions on the client

Microsoft Confidential
 Updates and Servicing
• Updates and Servicing node can be used to install updates, newer builds, and
control features
• Requires:
• A service connection point for the online mode
• A service connection tool for the offline mode

Microsoft Confidential
 Role-Based Administration
• Helps secure administrative user access to Configuration Manager
• Consists of:
• Security Role: Sets Overall permissions to objects
• Security Scope: Limits specific objects
• Collections: Limits access to specific collections

Microsoft Confidential
 Client Monitoring
• Monitors the health and activity of clients in your hierarchy
• Client online status: Evaluates whether client is online or not.
• Client activity: Evaluates the activity or interaction between the Configuration Manager
client and the site
• Client check: Evaluates the health of the Configuration Manager client and its
dependencies
• Provides reports and in-console monitoring for compliance and trending

Microsoft Confidential
 Backup and Recovery
• Backup can be performed in different ways:
• Backup Site Server Maintenance Task
• Manually back up the SQL Server Database
• Use Data Protection Manager to back up your site database

• Recovery:
• Recover a site by using the existing backed up data
• Reinstall a site server by using a new database (hierarchy only)
• Recover only the database (the site server is working fine)
• Recover only the site ( the database is working fine)

Microsoft Confidential
 Operating System Deployment
• Provides tools to create and deploy images to devices
• Deployments:
• Bootable media
• Preboot Execution Environment (PXE) network boot
• Refresh or upgrade to a Configuration Manager client
• Supports client and server scenarios
• Supports Windows 10 install and upgrade package

Microsoft Confidential
 Compliance Settings
• Provides a set of tools and resources to help you assess, track, and remediate
configuration compliance of devices in the organization
• Examples of supported business scenarios:
• Compare configuration of Windows PCs, computers running Mac OS, servers, and
mobile devices against best practices
• Identify unauthorized device configurations
• Automatically remediate some of the noncompliant settings on computers and mobile
devices
• Consists of:
• Configuration Items
• Configuration Baselines
• Configuration Packs

Microsoft Confidential
 Mobile Device Management
• Provides different solutions to manage computers and mobile devices without
the Configuration Manager client using:
• On-Premises Mobile Device Management
• Microsoft Intune
• Exchange ActiveSync

Microsoft Confidential
 Mobile Device Management with Exchange ActiveSync
• Lightweight management performed in Configuration Manager and managed
through Exchange ActiveSync:
• Password settings
• Email management
• Security
• Allow, block, or quarantine mobile devices
• Remote wipe
• Requires the Microsoft Exchange Server connector
• Supported versions:
• Exchange Server 2010 SP1 and later
• Microsoft Office 365

Microsoft Confidential
 Mobile Device Management with Intune
• Allows management of devices, applications, and company resources through
Open Mobile Alliance Device Management (OMA DM)
• Features of device management:
• Configure compliance settings: password, security, roaming, encryption, and much
more
• Collect inventory
• Deploy the line-of-business applications or link to application stores
• Retire and wipe devices
• Features of Company Resource Management:
• Configure certificates
Microsoft Intune
• Configure email, virtual private network (VPN), Wi-Fi profiles
• Configure conditional access

Microsoft Confidential
 On-Premises Mobile Device Management
• Allows on-premises management of devices through OMA DM connector
• Utilizes on-premises infrastructure, does not connect to Intune
• All data is kept on-premises
• Supported devices:
• Windows 10
• Windows 10 Mobile

Microsoft Confidential
 Endpoint Protection
• Provides security, anti-malware, and basic Windows Firewall management
• Built-in functionality to manage System Center Endpoint Protection clients or
Windows Defender on Windows 10 devices
• Functionality examples:
• Malware and spyware detection and remediation
• Automatic definition and engine updates
• Rootkit detection and remediation
• Requires Endpoint Protection Point Site System role
• Requires Endpoint Protection licenses

Microsoft Confidential
 Windows PowerShell Integration
• Configuration Manager has a Windows PowerShell cmdlet library
• Utilizes the Software Development Kit (SDK) to allow scripting tasks
• Configuration Manager Cmdlet Library is available for download

• Example: Create a new administrative user for FourthCoffee\Arno.Harteveld.

Assign him the Asset Manager security role, and provide access only to the All
Windows 10 Devices collection:

New-CMAdministrativeUser -Name “FourthCoffee\Arno.Harteveld" -CollectionName

“All Windows 10 Devices" -RoleName “Asset Manager"

Microsoft Confidential
 Upgrade and Migration
• Multiple ways to move data from an older version of Configuration Manager:
• In-place upgrade
• Side-by-side migration
• In-place upgrade can be performed from:
• System Center 2012 Configuration Manager with Service Pack 1
• System Center 2012 Configuration Manager with Service Pack 2
• System Center 2012 R2 Configuration Manager
• System Center 2012 R2 Configuration Manager with Service Pack 1
• An evaluation install of Configuration Manager
• Side-by-side migration can be performed from:
• System Center 2007 R2 Configuration Manager or later

Microsoft Confidential
 Pre-release features
• Pre-release features are included for early testing in a
production environment, but should not be considered
production ready.

• Beginning with Configuration Manager 1606, you must

give consent to use Pre-release features before you can
select and enable their use.

• To give consent, in the console navigate to Console

Administration > Site Configuration > Sites, and
then select Hierarchy Settings. On the General tab,
select Consent to use Pre-Release features.

Microsoft Confidential
Module 01 Lab:
Review the Configuration
Manager Site

Microsoft Confidential
 Module Knowledge Check
1. What are some of the benefits of using Configuration Manager?
2. What can you do with the Configuration Manager administration console?
3. How can you manage a Windows 10 laptop that is outside your corporate
network?

Microsoft Confidential
 Module summary
In this module, the following sections were covered:
• What is Configuration Manager?
• Understanding the Configuration Manager console
• Understanding Configuration Manager Sites and Roles
• Understanding Configuration Manager Clients
• Configuration Manager Features and Capabilities

Microsoft Confidential
Microsoft Confidential