MMS 2013 Day 4 Roundup
We’re in the homestretch now as we reach day four at MMS 2013. This is the last full day of MMS, but unlike TechEd, is not the last day. TechEd switched from a five-day schedule to four days in 2008, but MMS still runs the entire week. The reward for making it through a full day of sessions? The Attendee Party, which was at the XS nightclub at Encore. But first I need to review my sessions for the day.
System Center 2012 Endpoint Protection Integration With Configuration Manager 2012 SP1 (UD-B331)
Speakers: Jason Githens, Mahyar Ghadiali
We’re running Config Manager 2007 and Forefront Endpoint Protection (FEP), but are planning to move to 2012 and the new Endpoint Protection (EP) soon. This session was a good of overview of what to expect, and I liked pretty much everything they covered. With 2012 and SP1, management of EP finally feels like a fully integrated part of Config Manager and the console. Previously sending commands to the client on systems felt disconnected because you had to wait for the client to check-in on its normal polling cycle. Now the client uses “client notification” to provide a persistent connection between a client and management point. This channel lets you push tasks down to the client, generally within a minute. All EP operations use this channel. For more information about “client notification,” check out this blog post on the Config Manager team blog. You can run definition updates, initiate scans, allow threats, restore files from quarantine, etc. and monitor them as they run in real-time.
Another big change is the merging of anti-malware policies on the client. Setting up policies in the old version was incredible tedious because only one policy would be applied to a client. This made setting up exclusions difficult especially for multi-role servers. Create a policy for SQL Servers and exclude these items? Done. Have another policy for a DPM server? Done. What if you’re running SQL locally on the DPM server? Without client merge, you have to duplicate your SQL exclusions in the DPM policy. This made for extra work in maintaining policies and a greater likelihood that you missed something. With client-merge you can setup policies that contain just the settings you need and have them combine on the client as they are evaluated, This is a long-overdue change.
Add in more frequent definition updates, improvements to the client, and added features for Windows 8 client such as Early Launch Antimalware (ELAM), and you’re looking at a much more easily managed and (hopefully) better performing Endpoint Protection client. I can’t wait to upgrade.
I hate to add that I thought the speakers did a great job responding to the alarm that went off at the conference center. About ten minutes in, alarms started going off, lights were flashing, and a recording kept repeating over and over that an incident was being investigated. Jason quipped that this was what happened when malware is detected with the new client. It was quite amusing, and they handled the disturbance well.
Speakers: Tim Crabb
I was glad to see multiple sessions dealing with User Experience Virtualization (UE-V). I don’t hear people talking about UE-V much, but I’m working on deploying this in our environment at work to address performance issues with roaming profiles. The idea of removing roaming profiles and replacing them with a lightweight mechanism like UE-V is hard to ignore. This session was a good overview of UE-V, how it works, and how to deploy and manage it. I already had that well in hand (in my opinion at least) so it was reassuring not to see any surprises during the presentation. Afterwards I was able to ask Tim a couple of questions that had nagged me since the beginning.
My main concerns have been focused on how you transition from roaming profile to UE-V and making that cutoff between the two. We have so many applications that we run because we’re a University and making sure we have settings templates for all of them is challenging. I worry that I’m going to move over a professor, not have a template for one of his apps, and soon he’s complaining because the settings that used to roam no longer do. There really isn’t a good answer other than to acknowledge that could happen and manage expectations as the process goes on that it could happen with lesser-used applications. I suggested that an application to read a user’s registry and populate settings packages would be useful as part of a migration. That’s something they’ve considered, but there hasn’t been any movement in that area.
UE-V is one of those products that probably doesn’t get the attention it deserves. Yet another hidden gem in Microsoft Desktop Optimization Package (MDOP). Really don’t understand why some companies don’t license MDOP. Such a useful amalgamation of tools.
Speakers: Jason Sandys (@JasonSandys)
I’ve been using Config Manager for quite some time, yet I still deploy Microsoft Updates using WSUS. I’ve made multiple runs at using Config Manager, but it always seemed overly complex to manage without much return for the complexity. WSUS on the other hand is easy to use and just works. Plus it has an option to not reboot the system while someone is logged in (important for professors who leave programs running constantly) and for which I would have to use scripts to replicate it in Config Manager. With the move to 2012, I’m giving Config Manager another chance.
I must not be alone, because Jason asked at the start of the session how many of us were using WSUS and reluctant to move to software updates in CM. I’ll need to spend some time testing this feature out, but it looks at first glance it looks a little less onerous. For example, Jason had a slide explaining the difference between Software Update Groups, Update Deployments, and Update Packages. None of these are exactly obvious how they differ from each other, how they are used, etc. I won’t say I’m ready to jump in and start deploying updates, but having him go through this and the rest of the process helped quite a bit.
He also had a slide suggesting that you will get better update compliance user satisfaction by going with user initiated updates and not pushing them out completely silent. I’m not sure I agree, based on my experience with our users, but I might give it a try. My biggest concern is training them to distinguish between “good” update prompts and “bad” update prompts. Not sure I want to wade into that.
Speakers: Johan Arwidmark (@jarwidmark)
I usually attend Johnan’s MDT deployment sessions at TechEd (and now at MMS), not because I’m unfamiliar with MDT or need help setting it up, but rather because watching and listening to him inspires me to want to do more with the tool. I’m still on MDT 2010 purely because of the idea “If it ain’t broke, don’t fix it.” MDT 2010 is working fine the way I set it up (quite some time ago), and I never seem to have the time to spare to work on an upgrade. Needing to deploy Windows 8 later this year is going to be a big motivator to make the switch, but for immediate motivation, Johan’s sessions are great.
During this session, he covered using a hydration kit with MDT to deploy a deployment solution using MDT in a lab environment. Yes, he uses MDT to deploy MDT> A bit meta, but work with me here. You can download the hydration kit from the Deployment Research website. You will need to provide the various installers for the components, but along with the kit, you have a solution ready to go. I’m the firs tot admit I don’t est things in the lab half as much as I should. These kits make setting up a lab so easy, however, that I really don’t have a valid excuse anymore. Something for me to work on. You can grab a hydration kit for the complete System Center suite on the Deployment Bunny website. Go to both of those sites and search on hydration to see what other kits they have for download.
After going through the process of using the hydration kit, Johan moved on to discussing building a reference image. He reiterated the guidance that you should always use a VM to create your reference image. Using a VM ensures you avoid including any odd software applications that might get installed with your hardware drivers. A VM also lets you use snapshots to save time as you work through the creation process.
He discussed what you should include in your reference images and what should be left out. Programs that everyone use, such as Office is a good option to include in your image. Office is slow to install, so including that in the reference image saves time when you deploy to machines vs installing it later. Programs such as Java and Adobe Reader which are small and frequently updated (“every third hour” according to Johan) should probably be left out of the reference image and installed during deployment. The .Net Frameworks and Visual C++ runtimes are good to include in your reference image as well because many programs you will install later will make use of them.
Another useful tip is to boot your VM using an ISO and not via PXE boot because the ISO is faster. This suggestion may seem obvious, but I’ve always fixated on PXE boot, that it never occurred to me to use the ISO that gets created when you update your distribution share. Like I said, no matter how long I use MDT, I always learn something new from Johan.
I could keep going, but you should just watch the session yourself and then go visit the Deployment Research website and start reading and be ready to have your mind blown.
Speakers: George Matthews (@geomat)
George called his session the “MMS Pre-Planning Party Session” since this was the last one separating us from the evening party. This session focused on moving from an App-V 4.6 deployment to App-V 5.0. Microsoft makes this quite easy by letting the two clients run side-by-side on the same machine. The 4.6 client handles your 4.6 packages, and the 5.0 client handles your 5,0 packages, letting you move at your own pace. Microsoft also provides a 5.0 Package Converter to convert your 4.6 packages to the new format. Why sequence what you can convert? George handled all the steps of the conversion using PowerShell, and even shared all the demos on Twitter using the Twitter account AppV+PowerShell (@AppVPowerShell), If you take a look at that account, you will see all the PowerShell command used during the session on April 11.
After-Hours
I would go into the after-conference activities here, but this post has gone on longer than I expected, so I’m going to comment on the party in my next post. Check it out.