Holy Cow! Why on Earth Did You Do That?

Slides:



Advertisements
Similar presentations
SCCM 2012 Features and Benefits
Advertisements

What’s coming in Sccm 2007R2 aka Sccm 2007R2: 10 reasons to upgrade Kim Oppalfens SCUG.be.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Monitor Linux OS health & performance Monitor log files Monitor JEE app servers Monitor line-of-business applications Monitor databases and web.
SYSTEM CENTER: ENDPOINT PROTECTION FUNDAMENTALS Howard A. Carter III Senior Consultant Microsoft Consulting Services September 21, 2013 TechGate 2013 –
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Your Datacenter with Microsoft System Center Configuration Manager Kent Agerlund, ECM MVP, Coretech.
Securing Microsoft® Exchange Server 2010
Tim Vander Kooi Systems
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
Module 11 Upgrading to Microsoft ® Exchange Server 2010.
Microsoft Management Seminar Series SMS 2003 Change Management.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
ConfigMgr! Intune! Azure!ConfigMgr! Intune! Azure! Understanding Cloud Based Management Options Steven Rachui
Service Pack 2 System Center Configuration Manager 2007.
System Center 2012 Configuration Manager Service Pack 1 Overview.
Managed by UT-Battelle for the Department of Energy System Center Configuration Manager at ORNL National Laboratories Information Technology Summit 2008.
What’s New in Configuration Manager Since RTM How to stay current with the new coolness available Aaron Czechowski Senior Program Manager Microsoft Wally.
UFIT Infrastructure Self-Service. Service Offerings And Changes Virtual Machine Hosting Self service portal Virtual Machine Backups Virtual Machine Snapshots.
Self Service Service Delivery & Automation Deploy Configure Service Model DC Admin Operate Monitor Virtual Physical Public Cloud Private Cloud Virtual.
Microsoft Dynamics NAV Microsoft Dynamics NAV managed service for partners, under the hood Dmitry Chadayev Corporate Vice President, Microsoft.
Architecting Enterprise Workloads on AWS Mike Pfeiffer.
Cloud Management Gateway Deep Dive
Prof. Jong-Moon Chung’s Lecture Notes at Yonsei University
Windows 2012R2 Hyper-V and System Center 2012
WebInspect Enterprise Installation process
Reliability and Performance
News in ConfigMgr EWUG 1610.
What's New in System Center Configuration Manager, Current Branch and Intune INF324a Steven Hosking.
Moving to Configuration Manager Current Branch
System Center 2012 Configuration Manager
Supporting Windows 8.1 Krystle Portocarrero | Training Experts Inc.
OSD Front-Ends Henrik Rading Blog.coretech.dk/hra Senior Consultant
Trial.iO Makes it Easy to Provision Software Trials, Demos and Training Environments in the Azure Cloud in One Click, Without Any IT Involvement MICROSOFT.
Securing the Network Perimeter with ISA 2004
Managing Internet-based Client with ConfigMgr Current Branch
ConfigMgr and Azure – A Compelling Partnership – Part II
ConfigMgr and Azure – A Compelling Partnership – Part I
Exam in just 24 hours!!! Pass your exam in first attempt by the help of our latest braindumps
Power BI Security Best Practices
Braindumps Questions Answers
VCE Questions Dumps
Exam : Implementing Microsoft Azure Infrastructure Solutions
Veeam Backup Repository
Newness and Coolness in Configuration MANAGER
Build /21/2018 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
Real Microsoft Exam Questions and Answers
SVTRAININGS. SVTRAININGS Features of SCCM  Application management  Provides a set of tools and resources that can help you create, manage, deploy, and.
System Center Configuration Manager: What’s New?
Unit 27: Network Operating Systems
11/11/2018 Desktop Virtualization Corey Hynes Kyle Rosenthal President Technical Lead HynesITe Inc Spider Consulting @windowspcguy.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Data Security for Microsoft Azure
11/23/2018 3:03 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Microsoft Virtual Academy
Getting Started.
Getting Started.
Microsoft Virtual Academy
Managing Services with VMM and App Controller
Increase and Improve your PC management with Windows Intune
Microsoft Virtual Academy
Designing IIS Security (IIS – Internet Information Service)
Microsoft Virtual Academy
System Center Configuration Manager Cloud Services – Cloud Distribution Point Presented By: Ginu Tausif.
Keeping ConfigMgr Clean
SCCM in hybrid world Predrag Jelesijević Microsoft 7/6/ :17 AM
Microsoft Virtual Academy
Microsoft CloudnEnterprise Symbols v2.3
Preparing for the Windows 8.1 MCSA
06 | SQL Server and the Cloud
Presentation transcript:

Holy Cow! Why on Earth Did You Do That? Kent Agerlund Blog.Coretech.global CT Global Jason Sandys home.configmgrftw.com CT Global

Kent Agerlund Jason Sandys @Agerlund @JasonSandys MVP & Regional Director MVP for 8 years 20+ years 20+ years Never Walk Alone Glory Glory, Man United

Agenda J

Client Agent Promotion jason J

Tried to Promote the Client Agent Without Proper Permissions Requires Full Administrator role Assigned to All Scopes If all else fails, use the site installation account Jason J

Deleted The Site Installation Account USE <CM DB Name> SELECT AdminID ,AdminSID ,LogonName ,DisplayName FROM RBAC_Admins GO UPDATE RBAC_Admins SET AdminSID=‘<New Admin Account SID>‘ WHERE AdminID=<Old AdminID> jason J

WSUS Needs Love Too Kent Demo K

IgnoreD WSUS The DB is your precious Configure IIS App Pool Database Superseded Itanium Reindex database and rebuild statistics Configure IIS App Pool Queue Length Private Memory Limit Database Location Shared License Type kent K

IgnoreD WSUS The DB is your precious Decline Superseded & Itanium Re-index database and rebuild statistics Configure IIS App Pool Queue Length Private Memory Limit Database Location Shared License Type Compatibility Level Shared database and multiple WSUS: https://blogs.technet.microsoft.com/configurationmgr/2016/10/12/how-to-implement-a-shared-susdb-for-configuration-manager-software-update-points/ The DB is your precious Superseded Itanium Reindex database and rebuild statistics Configure IIS App Pool Queue Length Private Memory Limit Database Location Shared License Type kent K

Windows 10 Feature Update Deferral jason J

Deferred Window 10 Feature Updates Prematurely Deploy Feature Updates Can/Does Break Updates in ConfigMgr Enables Dual-Scan Feature Update Deferral Policy Configured Jason https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/ J

Feature Update Deferral Policies Meant For Windows Update For Business HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DeferFeatureUpdate DeferFeatureUpdatePeriodInDays DeferQualityUpdate DeferQualityUpdatePeriodInDays PauseFeatureUpdate PauseQualityUpdate DeferUpgrade ExcludeWUDriversInQualityUpdate Meant For Windows Update For Business HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DeferFeatureUpdate DeferFeatureUpdatePeriodInDays DeferQualityUpdate DeferQualityUpdatePeriodInDays PauseFeatureUpdate PauseQualityUpdate DeferUpgrade ExcludeWUDriversInQualityUpdate J

Dual-Scan What Is It The WUA automatically scans against both WSUS and WU. Anything in WSUS that resides in the “Windows” product family is ignored. When Is It Enabled Specify intranet Microsoft update service location. Any update deferral policy is set*. Why Enable It Windows Updates come from the cloud. Light and automated management. Enabled When Specify intranet Microsoft update service location (i.e., WSUS) Either of the policies belonging to Windows Update for Business Select when Feature Updates are received Select when Quality Updates are received Result The WU client automatically scans against both WSUS and WU Anything on WSUS that resides in the “Windows” product family is ignored by the Dual Scan client. * Enabled or Disabled J

Reversing Dual-Scan Set all WU for Business policies to Not Configured.  This ensures that you are not in Dual Scan mode.  Verify that you have installed the November 2016 Cumulative Update for 1607, or any Cumulative Update more recent.  Enable the group policy System/Internet Communication Management/Internet Communication settings/Turn off access to all Windows Update features In an elevated command prompt, run “gpupdate /force”, followed by “UsoClient.exe startscan” J

Site Role Location Kent MP and SUP, K

Placed MPs and SUPs At Remote LocationS Client Traffic Inventory, State/Status Messages, Policy Update Scan/Catalog Content Know your traffic Inventory State messages Update scan Content Policies kent Don’t over-complicate your infrastructure K

Placed MPs and SUPs At Remote Locations Client Traffic Inventory, State/Status Messages, Policy Update Scan/Catalog Content MPs and SUPs are not meant for remote locations. Know your traffic Inventory State messages Update scan Content Policies kent Don’t over-complicate your infrastructure K

Best Way to Get Rid Of Old Server OSes J

Used a Migration to Get Off Of Windows Server 2008 or 2008 R2 Windows Server 2008 and 2008 R2 are not supported for ConfigMgr CB 1702+ Migrate In-place OS Upgrade Site Backup and Restore jason J

OS Change Pros and Cons Migrate OS Upgrade Site Restore Fully Supported Preserves all configurations Reinstallation of site roles All Some None Redeployment or reconfiguration of clients Downtime required Easy fallback Requires new hardware or virtual machine Shared DPs or content re-distribution across WAN Involves “risky” OS in-place upgrade J

CBB Is CB By Another Name Jason J

Looked for CBB and CB Updates Deferral Policy != CBB or CB CBB = CB + Latest CU Updates apply to the Win 10 version and not servicing branch And Coming Soon: “Semi-Annual Channel (Pilot)” and “Semi-Annual Channel (Broad)” jason J

Internet Clients are the Norm kent

Cloud Management Gateway What are we trying to solve Traditional management for roaming users Support for key features like software update management, machine policies, inventory ConfigMgr solution today Traditional Internet Based Client Management DMZ Way to complex VPN Hmmmmm, it’s not the 00’s anymore – wake up 1606 we support Machine policy Content Update Client notification K

Cloud Management Gateway Problem Remote, roaming user system management Key feature support: Software Updates, Inventory, Policy Solution? VPN 1606 we support Machine policy Content Update Client notification What are we trying to solve Traditional management for roaming users Support for key features like software update management, machine policies, inventory ConfigMgr solution today Traditional Internet Based Client Management DMZ Way to complex VPN Hmmmmm, it’s not the 00’s anymore – wake up Internet Based Client Management K

What you need to know Azure subscription Certificates Firewall Scaling Port 443 out Scaling By default a single VM~ can be modified to 16 Multiple CMG services pr. site https://docs.microsoft.com/en- us/sccm/core/clients/manage/setup-cloud- management-gateway https://github.com/Microsoft/SCCMdocs/blob /master/sccm/core/clients/manage/plan- cloud-management-gateway.md We build the channel with HTTPS or TCP-SSL from proxy connector to proxy service. Once the channel is established, proxy service can forward the client request and get response from proxy connector. It handles synchronous calls from clients. 4k is per CMG VM instance supported in 1610, a Standard_A2 vm is created K

What you need to know Azure subscription Certificates Firewall: Port 443 to Azure Scaling: 1-16 VMs, multiple per site We build the channel with HTTPS or TCP-SSL from proxy connector to proxy service. Once the channel is established, proxy service can forward the client request and get response from proxy connector. It handles synchronous calls from clients. 4k is per CMG VM instance supported in 1610, a Standard_A2 vm is created https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway https://github.com/Microsoft/SCCMdocs/blob/master/sccm/core/clients/manage/plan-cloud-management-gateway.md K

What to configure Play the certificate game Configure CGM in console This will provision the service in Azure Create CMG connector On-prem, establish the outbound connection between on-prem to Azure Configure site systems MP & SUP Demo Log into Azure, show the management certificate Log into sccm, show the management gateway properties Show site system properties for MP/SUP Show software update deployment Switch to client, show policyagent.log Show software center Install software update, check the download URL Show the CMG interface, traffic, number of client connections K

What to configure PKI Configure CMG in console Create CMG connector Configure Site Systems Play the certificate game Configure CMG in console This will provision the service in Azure Create CMG connector On-prem, establish the outbound connection between on-prem to Azure Configure site systems MP & SUP Demo Log into Azure, show the management certificate Log into sccm, show the management gateway properties Show site system properties for MP/SUP Show software update deployment Switch to client, show policyagent.log Show software center Install software update, check the download URL Show the CMG interface, traffic, number of client connections K

What can go wrong PKI environments with sub-ca Broken CA chain Look for 403 PKI environments with sub-ca Defined data chunk not big enough 2017-03-13 07:00:39 W3SVC1273337584 RD00155D563B24 100.84.108.67 POST /CCM_Proxy_ServerAuth/72057594037927953/ClientWebService/client.asmx - 443 - 77.243.43.106 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 - - via001cmg.cloudapp.net 413 0 0 357 14260 187 Software Update scanning Azure host IIS log files Client log files wuahandler.log, ccmmessaging.log, scanagent.log, policyagent.log Troubleshooting http://blog.coretech.dk/kea/cloud-management-gateway-with-sub-ca/ http://blog.coretech.dk/kea/software-update-scan-error-using-cloud-management-gateway/ Demo: Software update issue: Client log file, wuahandler Login to Azure, ProxyEndpointConfig Open SQL – execute script, make a change in the CMG configuration and monitor cloudmgr.log file update Proxy_EndpointDefinition set RequestLimitContentLength=1048576 where Name='ClientWebService' select * from Proxy_Settings Ccmmessaging.log on the client Certificate issue Log into Azure Enable RDP Show IIS log files Show certificates, chain is broken – intermediate cert must be uploaded K

Long Term Sounds Good jason J

Your company thinks its saving money by not buying Software Assurance Used COnfigMgr LTSB Why Use LTSB Your company thinks its saving money by not buying Software Assurance Why Not Use LTSB Many Features Removed Not entitled to latest Current Branch builds jason J

Features Removed in LTSB In-console updates that add new features and improvements. Support for newly released operating systems to use as site servers and clients. Use of a Microsoft Intune Subscription to support: Intune in a hybrid mobile device management (MDM) configuration On-premises MDM The Windows 10 Servicing Dashboard and Servicing Plans, including support for recent Windows 10 Current Branch (CB) and Current Branch for Business (CBB) versions. Support for future releases of Windows Server and Windows 10 LTSB Asset Intelligence Cloud-based distribution points Exchange Online as an Exchange Connector jason J

The Pointy Haired Guy is Always Right kent K

Believe your manager when she told you to 100% compliance before the end of the day Know your enemies Health Activity Visualization kent Know Your Enemies Health Activity Visualization K

Believe your manager when she told you to 100% compliance before the end of the day Know your enemies Health Activity Visualization kent K

And some real crazy stuff Agent settings Enabling all hardware classes Running software inventory once pr. Hour Running hardware inventory every 15 minutes Configure BITS to an insanely low number Rebuilding WMI on a daily basis Never creating a new reference image Running SQL with default settings Using the same domain account for all ConfigMgr purposes Enabling F8 in the winpe image Configuring everyone as Full Administrator in the console K