1. virtual techdays INDIA │ 9-11 February 2011 How Microsoft IT Does Desktop Patch Management Partha Chandran │ Sr. Service Engineer, Microsoft

2.  Management Platform and Service Delivery  Operational Team of System Center - Desktop Management System Technologies  Deployment Services - System Center Configuration Manager  Dogfooding (early adoption/product feedback): ConfigMgr 2012, R3, Forefront, etc.  Windows Update/Microsoft Update infrastructure  Windows InTune  Customers:  Microsoft IT  Microsoft Retail Stores  Online Customers: Energizer and XL virtual techdays INDIA │ 9-11 February 2011 Our Team & What we do

3.  How Microsoft IT uses Configuration Manager?  Configuration Manager Architecture Overview  Software Updates Management – Process & Best Practices  Preparing for the Future  Q & A virtual techdays INDIA │ 9-11 February 2011 S E S S I O N A G E N D A

4. virtual techdays INDIA │ 9-11 February 2011 How Microsoft IT Uses Configuration Manager?

5. Auckland Microsoft Offices in 105 Countries 89k Employees Globally 70k Vendors Globally Microsoft locations 400 ConfigMgr Sites ~230 ConfigMgr Clients ~300,000 Microsoft Offices in 105 Countries 89k Employees Globally 70k Vendors Globally Microsoft locations 400 ConfigMgr Sites ~230 ConfigMgr Clients ~300,000

6. Configuration Manager Service Boundaries Datacenter Machines (SPM) ~24,000 Lab Services ~50,000 Other OU’s 40,000 Network Attached Devices ~80,000 Smart Phones ~60,000 Supported Full Service Domains ~280,000 IP based devices ~890k Supported Limited Service Domains ~5,000 AD Clients ~420k ConfigMgr ~285K PHX / GFS~250,000 IP connected Machines ~500,000 NTDEV ~24,000 Workstation OU 280,000

7.  Full Service  Software Distributions  Asset Reporting – hardware & software inventory, asset intelligence  Patch Management and “Test Pass” Patching  3rd party patching Using Software Distributions  Operating System Deployment  Application Virtualization deployment (App-V)  Desired Configuration Management  Limited Service  Patch Management, including MPSD-managed WSUS  Asset Reporting virtual techdays INDIA │ 9-11 February 2011 Services Offered to Desktops in Microsoft IT

8. virtual techdays INDIA │ 9-11 February 2011 Configuration Manager Architecture Overview

9. Configuration Manager Architecture Disclaimer: Microsoft IT’s System Center Configuration Manager 2007 hierarchy has ~130,000 clients assigned at a primary site and 275,000 clients in a hierarchy. The supported System Center Configuration Manager 2007 limit is 100,000 per primary site and 200,000 per hierarchy without a custom scale agreement.

10. virtual techdays INDIA │ 9-11 February 2011 Physical vs Virtual – ConfigMgr Site Roles in Microsoft IT

11. virtual techdays INDIA │ 9-11 February 2011 Client Agent Cycles Client agentCycle Hardware Inventory3 days Software Inventory3 days Discovery – Heartbeat Discovery1 day Computer Client – Policy Interval1 hour Computer Client – State Message Reporting Cycle15 minutes Software Update Client – Scan Schedule1 day Software Update Client – Updates Re-evaluation1 day

12.  Runs as computer startup script through GPO  Completely silent and does not prompt users  Runs asynchronously to minimize logon time  Client health status is generated from the client  Future enhancements  WMI check and remediation will be included  Client remediation will be part of next version of SCCM virtual techdays INDIA │ 9-11 February 2011 Client Health Script

13.  Check for SCCM client and install or upgrade client  Check and start WMI, SCCM, WSUS services  Check and report last reported time for client health indicators  Hardware Inventory  Software Inventory  Heartbeat Discovery  If indicators are older than 5 days, initiate them  Reinstall the client if initialization fails  Enable SCCM components if disabled  Check BITS version and assign client to correct site if site code is missing virtual techdays INDIA │ 9-11 February 2011 Client Health Script features

14. virtual techdays INDIA │ 9-11 February 2011 Software Updates Management – Process & Best Practices

15. Monitor for Release/Advisory AcquireEvaluate Risk Mitigation Plan for Patches Prioritize Pre-Patch Deployment Test and Approve Create and Test Deployment Package Deploy Patch Deployment Confirm DeploymentClean Up Document and Update Configuration Standards Report on Security Patch Compliance Post Patch Deployment Patch Process Overview

16. Patch Deployment Experience for Users

17.  Security of the environment must be Top Priority  Communicate to users every month about patch Tuesday  Deploy patches consistently after validation phase is complete  Create well defined site boundaries  Use silent patching for a better user experience  Silent patching for 6 days, 3 days of enforcement  Minimize reboots  Ideally one reboot per patch cycle  Use WSUS to install the SCCM Client  Use GPO to pre-configure SCCM client settings virtual techdays INDIA │ 9-11 February 2011 Patching Best Practices

18.  Use WSUS to install recurring updates such as antivirus signature updates and Junk mail filters  Perform QC on deployments before release to production  Monitor and Remediate Hierarchy issues timely  Monitor Enforcement States of the deployment daily during patch cycle  Remove Expired Updates and contents from deployments periodically  Periodic WSUS Cleanup for WSUS based deployments virtual techdays INDIA │ 9-11 February 2011 Patching Best Practices

19.  Updates Package Maintenance Strategy  Keep 2 current month’s deployment active  Rest in sustainer packages  Sustainer package sizing strategy  Break Larger packages for efficient replication (>4 GB)  For large hierarchies, Keep package updates to minimum during enforcement cycle.  ConfigMgr patching uses WSUS, so manage Policy for consistent WU settings across enterprise virtual techdays INDIA │ 9-11 February 2011 Patching Best Practices

20. virtual techdays INDIA │ 9-11 February 2011 Desktop Services SLA – Patch Delivery Patch Delivery (SLA)Description PurposeEnsure the timeliness of Microsoft security updates delivery to end users Target Compliance Active Exploit deployed to 95% of computers within 3 business days Critical patches deployed to 95% of computers within 9 business days Compliance Period3 or 9 Business days, as appropriate

21. virtual techdays INDIA │ 9-11 February 2011 Preparing for the future

22.  Monitor current power state and consumptions  Plan and create a power management policy, check for exceptions  Apply power management policy  Check compliance and remediate non-compliance.  Report saving in power consumption and costs and environmental impact. virtual techdays INDIA │ 9-11 February 2011 Configuration Manager 2007 R3 – Power Management

23. virtual techdays INDIA │ 9-11 February 2011 Forefront Endpoint Protection 2010 + ConfigMgr 2007 Advanced and comprehensive malware protection for clients and servers Lower costs of endpoint protection deployment and ownership Deployment of endpoint security with a proven scalable Config Manager infrastructure Extends Windows OS security Lower costs of endpoint protection deployment and ownership Deployment of endpoint security with a proven scalable Config Manager infrastructure Extends Windows OS security Simplified management through unified operational experience for endpoint security and management Increased visibility of potentially vulnerable endpoints that allow you to take operational remediation actions Simplified management through unified operational experience for endpoint security and management Increased visibility of potentially vulnerable endpoints that allow you to take operational remediation actions HELP PROTECT everywhere INTEGRATE and EXTEND security SIMPLIFY security MANAGEMENT experience

24. virtual techdays INDIA │ 9-11 February 2011 System Center Configuration Manager 2012 - Pillars of Release Modernize our infrastructure Redesigned hierarchy and SQL Server replication Automated content distribution Client Health improvements and auto-remediation Redesigned admin experience and role-based security model Native 64-bit and full Unicode support Continue to improve Software Updates auto-deployment (including Forefront definitions) Automated settings remediation (DCM “set”) Consolidated and expanded mobile device management Improvements to OS Deployment and Remote Control And much, much more… Embrace user-centric management Provide a rich application management model to capture admin intent Allow the administrator to think users first Provide the end user a fitting user experience to find/install software with Allow the user to define their relationship to applications

25.  Use Configuration Manager to update and manage your desktops  Develop a business rhythm for patch deployment  Use validation groups to ensure security updates don’t negatively impact your business  Use server virtualization to reduce operational costs  Implement a dashboard to monitor the overall health of your environment virtual techdays INDIA │ 9-11 February 2011 SUMMARY Key Takeaways

26. virtual techdays INDIA │ 9-11 February 2011 RESOURCES  System Center Configuration Manager Technical Documentation  http://technet.microsoft.com/en-us/configmgr/default.aspx http://technet.microsoft.com/en-us/configmgr/default.aspx  The Configuration Manager Support Team Blog  http://blogs.technet.com/configurationmgr/default.aspx http://blogs.technet.com/configurationmgr/default.aspx  System Center in Action - Best Practices  http://technet.microsoft.com/en-us/systemcenter/ee942121.aspx http://technet.microsoft.com/en-us/systemcenter/ee942121.aspx  Configuration Manager Virtualization Technical Case Study  http://technet.microsoft.com/en-us/library/ff684119.aspx http://technet.microsoft.com/en-us/library/ff684119.aspx

27. virtual techdays THANKS │ 9-11 February 2011 partha.chandran@microsoft.com