Settings Management in Configuration Manager 2012 CEP session summary

 Today another Configuration Manager 2012 Community Evaluation Program session was held, this time the subject was Settings Management. Program Manager Roger Kimble presented the latest information about Settings Management. Nice and I think one of the key features of Configuration Manager 2012.

 

Key concepts of Settings Management in CM 2012

  • Baseline
    • Group of Configuration Items with presence rules
    • Can be deployed to user or device collections
    • Supported providers : (Active Directory, File, Script, SQL, Software Update, WMI, XML, Registry, IIS and MSI)
  • Configuration Items
    • Configuration model defined for OS and Application (settings, rules, applicability)

Features and improvements in Configuration Manager 2012

  • Simplify administrator experience
    • Role based administration built in with the Compliance Settings Management Role
    • Browse gold system when creating configuration items (point and click browsing a local or remote system to select registry settings or file system settings)
    • Simplified Baseline creation experience
    • Re-use of settings across configuration boundaries
  • Deployment of baselines
    • User and device targeting of baselines
    • Define compliance SLAs for baseline deployments and generate alerts
    • Maintenance window – new since beta 2 version of Configuration Manager 2012
  • Monitor baseline deployment compliance status
    • In console monitoring
    • Updated reports to include remediation, conflict and error reporting
  • Remediation for selected setting types
  • Configuration Item Revisions
  • Support for mobile phones (Windows Phone)
  • Migration of existing baselines from Configuration Manager 2007 and Configuration Items to Configuration Manage 2012.

 

User and device targeting
Scenario: Deploy configuration policy to users and devices, remediate and report compliance for user or device.
Design principle: All the devices where the user logs on will receive the baselines

  • New verb is “Deployment”, no longer user assignment term
  • Deploy baselines to user or device collections
  • If deployed to users, evaluation options
    • Evaluate baseline on all devices user logs on
    • Evaluate baseline on only user’s primary machines
  • Configuration Items in baseline can contain user and device settings
  • User settings:
    • Registry settings stored under HKCU
    • Script setting: run discovery and remediation scripts under user context
  • Configuration Items with user settings will be evaluated when the user logs on.

Define compliance SLAs for Baseline deployments
Scenario: Alerts admin when target compliance threshold is not met.
Design principle: Provide clear alert description and condition not met for each baseline deployment admin can manage alert properties for each baseline deployment which is aligned with software deployment and software update management

  • Admin can define target compliance SLA % at baseline deployment level
  • Alerts are generated if SLA if not met
  • Customize alerts properties
  • Reevaluate alert condition in time in future again.

In console monitoring
Scenario: Allow admin to view baseline deployment compliance statistics within console
Design principle: show the most important issues admin needs to worry about in priority order within the console

Inconsole summarization

  • Most common con-compliant/errors sorted based on number of devices/users impacted
  • Deployed to users vs. devices
    • If deployed to user collection, asset details is sorted by user
    • If deployed to device collection, asset details is sorted by device
  • Reports are also available and now includes remediation, conflict and error reporting

 Monitor versus Remediate

  • Monitor: Microsoft still support monitoring for all Configuratino Manager 2007 setting providers (registry key, registry, value, file, folder, script. WMI, XML, etc). It will cechk of existence of the setting or check the value of the setting.
  • Remediation: only supported for registry-, WMI. Script-based settings and all mobile phone settings
    • Create setting if not exist
    • Set value if not compliant
    • Run remediation script
    • Remediation phone settings

Reporting
Reporting provides you to see the compliance at a glance in thirteen reports. You are able to drill down to see the details and you are able view troubleshooting, remediation and conflict information.

Mobile phone support
Scenario: support configuration and compliance management for mobile phones
Design principle: Unified platform and user experience to define, monitor, enforce and report configuration compliance for users across all supported Configuration Manager devices.

  • Fully integrated authoring, targeting and reporting experience
  • Easily build a Configuration Item from built-in common settings or create your own settings
  • Compliance evaluation off-loading to server to limit battery and CPU impact on mobile devices
  • Now support for: Windows Mobile 6.1, Windows Phone 6.5 and select Symbian devices. In the future support via the Exchange connector and newer Windows Mobiles will come eventually.
  • You are  able to configure Configuration Items like:
    • Password, email management, security, peak synchronization, roaming, encryption, wireless communications and certificate settings. You are also able to create custom Configuration Items.

 Revisions of Configuration Items
Like revision support in the new application model, revisions are also supported for configuration items. Revisions are stored in the database and you are able to revert to an earlier version or change the revision in a baseline.

Migration
Like mentioned in a earlier blogs, you are able to migrate configuration items and baselines from Configuration Manager 2007 to Configuration Manager 2007. You are also able to import Config Packs into Configuration Manager 2012. The v4 schema of items that are migrated or imported are automatically converted to the v5 schema.

Next Configuration Manager CEP session will be held on September 21 @ 9:00-10:30 AM Pacific Time. In the meanwhile a Data Protection Manager session will be held on September 14 @ 8:00-9:00 AM Pacific Time.

Till next time.

Peter

Comments

 
Comments

Trackbacks for this post

Leave a Reply


6 × five =