SCCM 2012

About SCCM
1. Scan and inventories all managed devices.
2. Client software deployed to supported devices
- Tracks software and hardware components
- Streamlines software deployment.
- Manages patches
3. Bare metal OS Deployments
4. Endpoint protection
- Provides an antimalware and security solution for the Microsoft platform.
5. Settings Management
- Desired configuration management

Whats New in SCCM 2012 ?

1. Architecture Tier 3
CAS Central Administration Site
Primary
Secondary
CAS can be used for reporting and Management only.
Primary Sites can only be parent of secondary sites.
Secondary sites now have their own database.
2.
3.
4.
5.
6.

7.

8.
9.

10.
11.
12.

User centric application model.

HTTP and HTTPS replace mixed and native mode.
Software Portal
Conditional Delivery
Roles Changes
- Reporting point changed to Reporting Services Point
- The PXE Service point moved into Distribution Point
- The Server locator point moved into Management Point
New roles
- Software Center
The Application Catalog website point ( User end ) ( We can add installation guide along
with package )
Application catalog web services point
- Enrollment proxy point
Manages enrollment requests from mobile devices
- Enrollment point
Completes Mobile device enrollment
Boundary Group.
Forest Discovery
- Active Directory Forest Discovery does not discover resources that you can manage. Instead, this
method discovers Active Directory network locations and can convert those locations into
boundaries for use throughout your hierarchy. This is a cool new benefit of Configuration
Manager 2012.
- You can use Active Directory Forest Discovery to do the following:
Discover IP subnets in an Active Directory forest
Discover Active Directory sites in an Active Directory forest
Add the IP subnets and Active Directory sites that are discovered as boundaries in
Configuration Manager
Client Status
Virtual Application - App V
Dependency deployment App Deployment
1

13.
14.
15.
16.
17.
18.
19.
20.
21.
22.

Simulated Deployment App Deployment

User Device Affinity
Application Revision
Application Supersedence
Application Retire
Automatic Deployment Rule Software Updates
Compliance Settings and Remediation
Site Hierarchy diagram
Role Based Access security
Distribution Point Groups

CAS Central Administration Site

Central Administration site is for large organizations having more than 100,000 clients in the hierarchy. Once you
have CAS, then you can install primary sites underneath CAS for managing users and devices. Secondary sites can
then be installed below primary sites for managing devices over slow connection.
If your organization has less than 100,000 clients, you should only use stand-alone primary sites.
CAS is used for a multi-site hierarchy. This is the first site to be built if you use a multi-site hierarchy. Next layer of
site would be primary sites where all processing happens. For smaller organizations, the first site deployed in the
hierarchy is a Primary site. But if you want to install more than one Primary site, we cant install it without a CAS
server.
As compared to the previous of SCCM, Primary Site servers can be installed and joined in the Central Site at any
point of time. But in SCCM 2012, Primary Site servers can only be connected to the Central Site during installation.
This means that the CAS should be installed first before any primary sites in the hierarchy.
Note: We can have maximum 25 child Primary Sites supported by a CAS.
Client data processing is not done by the CAS.
CAS is used for administration and reporting. CAS requires a SQL database to be installed on the site server. CAS
support up to 400,000 clients if SQL Server Enterprise or Datacenter is installed on the Central Administration site,
and is independent of the SQL Server edition at primary or secondary sites.
Up to 50,000 clients are support if SQL Server Standard is used for the site database at the Central Administration site.
This limit remains there even if we upgrade the SQL Server version at the Central Administration site from Standard
to Enterprise or Datacenter after installing Configuration Manager.
CAS also doesnt support client assignment as clients can only be assigned to the primary sites. The reason of this
assignment is to let the central site to provide better performance for administration.
Does not support all site system roles.

Why many of them are recommending not to have CAS

in the hierarchy in SCCM 2012
Central Administration site is for large organizations having more than 100000 clients
Licensing costs go up - SQL, OS, hardware (unless it's VM's). A CAS introduces multiple moving parts. There is
additional support overhead for fixing replication issues, bugs in that space, usual stuff.

Primary Site
Primary site can support up to 100,000 clients
Manages clients in well-connected networks.
Primary sites in System Center 2012 Configuration Manager have the following differences from primary sites in
Configuration Manager 2007:

Additional primary sites allow the hierarchy to support more clients.

2

Cannot be tiered below other primary sites.

No longer used as a boundary for client agent settings or security.
Participates in database replication.

Secondary Site
Controls content distribution for clients in remote locations across links that have limited network bandwidth.
Secondary sites in System Center 2012 Configuration Manager have the following differences from secondary sites in
Configuration Manager 2007:

SQL Server is required and SQL Server Express will be installed during site installation if required.
A management point and distribution point are automatically deployed during the site installation.
Secondary sites can send content distribution to other secondary sites.
Participates in database replication.

SCCM Architecture Support limits

1. Each management point located in the primary site can support up to 25,000 client computers. If you need the
support for 100,000 client computers, you must have at least 4 management points
2. Each primary site can support up to 10 management points.
3. There can be only one management point in the secondary site and that must be installed on the secondary site
server only.
4. Always place management points near to the primary site server or from the site database server having fast
link.
5. Maximum numbers of clients support by the secondary site management point depends upon the hardware
configuration of the secondary site server.
6. Having more management points in a site provides redundancy and improves client-to-site communications.
7. One Site 250 DP
8. One DP 3000 Clients
9. One MP 25000 Clients
10. One Primary Site 250 Secondary Sites

Native mode and Mixed mode SCCM 2007

1. Choose native mode if any of the following conditions apply:
You require the highest security controls, using industry-standard protocols.
You require Internet-based client management.
2. Choose mixed mode if any of the following conditions apply:
You do not have the supporting public key infrastructure (PKI).
You have not installed the specific certificates required by Configuration Manager 2007.
The site contains SMS 2003 clients.
The site contains clients running Windows 2000 Professional or Windows Server 2000.
The parent site is configured for mixed mode.
Site systems running Internet Information Services (IIS) are not dedicated to Configuration Manager, and you cannot
configure a custom website.
You must use WINS as the means by which clients can find their default management point (service location).
You do not want the site's secondary sites to be automatically migrated.

User device affinity

User device affinity in Microsoft System Center 2012 Configuration Manager is a method of associating a user with
one or more specified devices. User device affinity can eliminate the need to know the names of a users devices in
order to deploy an application to that user. Instead of deploying the application to all of the users devices, you deploy
the application to the user. Then, user device affinity automatically ensures that the application install on all devices
that are associated with that user.
3

You can define primary devices. These are typically the devices that users use on a daily basis to perform their work.
When you create an affinity between a user and a device, you gain more software deployment options. For example, if
a user requires Microsoft Office Visio, you can install it on the users primary device by using a Windows Installer
deployment. However, on a device that is not a primary device, you might deploy Microsoft Office Visio as a virtual
application. You can also use user device affinity to predeploy software on a users device when the user is not logged
in. Then, when the user logs on, the application is already installed and ready to run.

Application Revision History

Application Supersedence

Application Retire
Per documentation, When you retire an application, it is no longer available for deployment but the application and
any deployments of the application are not deleted. Existing copies of this application that were installed on client
computers will not be removed. If an application that has no deployments is retired, it will be deleted from the
Configuration Manager console after 60 days. However, any installed copies of the application are not removed.
Wellthis is really interesting, it is more interesting that you can reinstate the application if needed, but be aware,
only retiring the application will not block people from installing. if have an active deployment, people can still use it.

Automatic Deployment Rule Software Updates

Automatic Deployment rule enables to create update package automatically according to some criteria such as release
date, classification or language. The scheduler for creating update package can be fine-grained configured. It is
possible for example to create update package automatically every second Tuesday of each month. Once the package
is created, it is automatically deployed to deployment point and servers perform updates on their maintenance period.
This update method should not be used on complex environment as Hyper-V cluster or Exchange infrastructure. These
examples of environment need orchestrator to avoid downtime of services.

Compliance settings and Remediation

Compliance settings contains tools to help you assess the compliance of users and client devices for many
configurations, such as whether the correct Windows operating system versions are installed and configured
appropriately, whether all required applications are installed and configured correctly, whether optional applications
are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for
compliance with software updates, security settings, and mobile devices. Configuration item settings of the type
4

Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration
Manager let you automatically remediate noncompliant settings when they are found.

SCCM Roles
Site Server:
A computer on which you run the Configuration Manager setup program and which provides the core
functionality for the site.
Site Database Server:
A site system role that runs Microsoft SQL server and hosts the configuration Manager Site Database
Component Server:
Any server running SMS Executive and Configuration Manager services. This role is automatically installed
when you install all the site system roles except for the Distribution Point role.
Management Point:
A site system role that replies to configuration Manager Clients requests and accepts management data from
configuration manager clients
Distribution Point:
A site system role that contains source files for clients to download, such as application content, software
packages, software updates, operating system images, and boot images.
Reporting services Point:
A site system role that provides integration with SQL server reporting services to create and manager reports
for configuration manager
State migration point:
A site system role that stores user state data when a computer is migrated to a new operating system.
Software update point:
A site system role that integrates with windows server update services (WSUS) to provide software updates to
configuration manager clients.
System Health Validator Point:
This role must be installed on a Network Policy Server, to validate if Configuration Manager clients are
compatible or not with software updates you select and passes the health state of the computers to the
Windows Network Policy Server.
Endpoint Protection Point:
This role allows you to manage Window Firewall and antimalware security policies for client computers in
your hierarchy.
Fallback Status Point:
This site system role gathers state messages from clients for monitoring client installation and identifies
clients that are not able to communicate with their Management Point.
Out of band service point:
It allows administrators to connect to the computers that have the Intel vPro chip set and a version of Intel
Active Management Technology (Intel AMT), when the computer is turned off, in hibernation, or not
responding.
Asset Intelligence Synchronization Point:
A site system role that connects to System Center Online to download and manage Asset Intelligence catalog
information and upload uncategorized titles to consider them for future inclusion in the catalog.
5

Application Catalog web service point:

A site system role that provides software information to the Application Catalog website from the Software
Library
Application Catalog website point:
A site system role that provides users with a list of available software from the Application Catalog
Enrollment proxy point:
A site system role that manages enrolment requests from mobile devise so that they can be managed by
configuration manager.
Enrollment point:
A site system role that uses PKI certificates to complete mobile device enrollment and to provision Intel AMTbased computers.

Active Directory Tasks

Schema extensions
Benefits:
Automatic discovery of SCCM client properties
Port configuration for client to server communication
Easier multi-site content deployment
Use of NAP

Role Based Access Security

1. Hides interface elements based on user profile. Show only what is relevant to the current user.
2. Granular control over actions
3. SCCM 2012 ships with 14 pre-defined security roles

Roles and Scopes

Role = what a user can do
Scope = The objects a user can manipulate
Combined = How a user operates in SCCM 2012
Example:
Roles

Full Administrator
Endpoint Administrator

Security scope
Collection

Scope

Management Point
1. A site system role that provides policy and service location information to clients and receives configuration
data from clients.
2. Facilitates communication between clients and the SCCM server
3. An initial management point was installed during SCCM installation
4. No longer need to use load balancers for High availability. Clients use AD to find the right MP
5. Services previously offered by the server locator point role have been merged into the MP
Every primary and secondary site requires that a MP be specified.
- CAS cannot host MP
- Secondary sites can use proxy MP
MP requirements
-

IIS
6

Background Intelligent Transfer Services

Distribution Point
A site system role that contains source files for clients to download, such as application content, software packages,
software updates, operating system images, and boot images.
A DP was installed during SCCM installation

Changes in SCCM 2012

- Branch DP are gone
- Replaced with ability to configure a windows client as a DP ( Drawback: 20 connections max)
- PXE server point is now a DP option
- Background Intelligent Transfer Services