Friday 15 May 2015

Configuration Manager 2012 R2 Service Pack 1 & Microsoft Intune Enhancements

With the release of Configuration Manager 2012 R2 SP1, Microsoft have rolled up some of the Intune Extension functionality and introduced more of the Intune capabilities into the Hybrid management solution.

Most of the highly used features are now there, including one I regularly get asked about, remote lock and passcode reset!

 From the "What's New" notes:

  • You can now manage Windows 10 and Windows 10 mobile devices that are enrolled with Microsoft Intune. All existing Intune features for managing Windows 8.1 and Windows Phone 8.1 devices will work for Windows 10 and Windows 10 Mobile.

  • For System Center 2012 R2 Configuration Manager only: The following Extensions for Microsoft Intune that were released for System Center 2012 R2 Configuration Manager have been integrated into System Center 2012 R2 Configuration Manager SP1. If you previously installed any of these extensions, they will no longer be displayed in the Extensions for Microsoft Intune node of the Configuration Manager console.
    • iOS 7 and iOS 8 Security Settings Extension
    • Enterprise Mode Internet Explorer Extension
    • Windows Phone 8.1 Extension
    • Conditional Access Extension
    • Email Profiles Extension

  • You can deploy iOS apps that are free of charge from the app store. You can deploy this installer type as a required install to make it mandatory on managed devices, or deploy it as available to let users download it from the app store.

  • New mobile device configuration item settings for Samsung KNOX devices.  This adds the same capabilities for Samsung KNOX device to Configuration Manager that exist in Intune, with the exception of kiosk mode.

  • Conditional access to Exchange On-premises for mobile devices. Only devices that are enrolled with Intune and compliant with device policy are allowed to access Exchange email.

  • Conditional access to Exchange Online and SharePoint Online for mobile devices. Only devices that are enrolled with Intune and compliant with device policy are allowed to access Exchange email, or access SharePoint Online files from OneDrive for Business. This feature also introduces new reports that help you identify devices that will be blocked.

  • You can now manage iOS devices purchased through Apple’s Device Enrollment program. This allows for over-the-air management of corporate-owned iOS mobile devices.

  • You can now remote lock, or reset the passcode on iOS, Android, or Windows Phone 8 and later devices from the Configuration Manager console.

  • Mobile application management (MAM) policies let you modify the functionality of compatible apps that you deploy to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy and paste operations within a managed app, or configure an app to open all web links inside a managed browser.

  • For System Center 2012 R2 Configuration Manager only: You can now associate apps to a VPN connection on devices that run iOS 7 and later. These apps will open the VPN connection when they are launched.

    Additionally, VPN profiles now support Android 4.0 and later versions.

  • Windows Phone 8.1 devices can be enrolled and managed without first uploading a Symantec certificate and a signed Company Portal app. You still have to have a Symantec certificate to side load your own software, but you can send applications that are a link to a store, or a web app to Windows Phone devices using the Company Portal.

  • Custom settings are used in a mobile device configuration item and let you deploy settings to iOS devices that are not selectable from the cmshort console. You create settings in the Apple Configurator Tool, import these settings into the configuration item, then deploy these to the required devices.

  • Kiosk mode allows you to lock a managed iOS mobile device to only allow certain features to work. For example, you can allow a device to only run one managed app that you specify, or you can disable the volume buttons on a device. These settings might be used for a demonstration model of a device, or a device that is dedicated to performing only one function, such as a point of sale device.

  • You can provision personal information exchange (.pfx) files to user’s devices including Windows 10, iOS, and Android devices. Devices can use PFX files to support encrypted data exchange.

  • System Center Endpoint Protection can be used to manage endpoint protection on Windows 10 technical preview devices with Windows Defender. The endpoint protection agent is included in Windows 10 and does not need to be deployed. Be sure to include malware definitions for Windows Defender in updates for managed devices.

  • For System Center 2012 R2 Configuration Manager only: App compliance policies let you create a list of compliant or noncompliant apps in your organization. For Windows Phone 8.1 devices, apps can be blocked from being installed or launched.

    For iOS and Android apps, you can use reports to find users and devices with noncompliant apps.

  • For System Center 2012 R2 Configuration Manager only: Configuration Manager email profiles now support Android Samsung KNOX 4.0 and later.

You can find the full "What's New" notes for SP1 here:

Wednesday 13 May 2015

Is Operations Manager dead now we have Azure Operational Insights?

With the announcements at Microsoft Ignite the other week, the General Availability of Operational Insights (OpInsights) and the new over-arching service of Microsoft Operations Management Suite, some people are now starting to declare System Center Operations Manager (SCOM) as dead with OpInsights as it's "born in the cloud" replacement.

Lets try and address this, becuase quite simply, that's wrong.

Operations Manager has a long history, with the current version being System Center 2012 R2 but stretching as far back to 2000 when Microsoft licensed the NetIQ technology and developed it into MOM 2000 and across MOM 2005, SCOM 2007, SCOM 2007 R2, SCOM 2012, SCOM 2012 R2 and soon the vNext 2016 release.

So straight away, we know there's going to be a new release with the vNext wave in 2016 so this certainly isn't a discontinued product, but if we have this shiny new toy, Operational Insights, why would I consider the On-Premise Operations Manager?

They do the same thing, right?

Both solutions have slightly differing areas of functions/features/approaches or whatever you want to call them.

Operations Manager

This is designed to sit within your environment and based on a management pack model is extended to monitor for events, performance, availability and configuration across your infrastructure. This infrastructure could be Windows Servers. Unix/Linux Servers, Network Devices or even physical "tin" (HP/Dell/Cisco UCS Servers) SAN's etc.

So we have a wide range of infrastructure we can monitor and get alerts for a wide range of "hicups" that can occur while also dragging out performance metrics like memory, CPU, Disk utilisation or SQL DB locks, Exchange message queue lengths etc.

Operational Insights

From the documentation site:
Operational Insights is an analysis service that enables IT administrators to gain deep insight across on-premises and cloud environments. It enables you to interact with real-time and historical machine data to rapidly develop custom insights, and provides Microsoft and community-developed patterns for analyzing data.

OpInsights is based on "Solutions" which in a simlar vein to management packs, extend the service with features/functions.
At present there's only a selection but I think it's safe to say this will expand over time if/when partners and the community are allowed to develop for the platform.

Currently you can use solutions to provide:
  • Malware Assessment - Shows which servers do/dont have protection installed and any with threats present (i.e. malware installed)
  • System Update Assessment - Shows which servers have missing Windows Updates
  • Capacity Planning - Using Operations Manager & Virtual Machine Manager (VMM) to analyse CPU, Memory, Network and Storage metrics to provide forecasting and what if scenarios such as over or under utilised VM's or when hosts will be exhuasted or resources.
  • Change Tracking - Shows which servers have the most changes, what changed (service status, workload changes to Exchange, SharePoint etc, application installation)
  • Security and Audit - Performs forensic analysis and security breach pattern investigations while enabling audit scenarios.
  • Active Directory Assessment - Assesses the risk and health of your AD environment
  • SQL Server Assessment - Assesses the risk and health of your SQL Server environments
  • Alert Management - Surfaces the alerts from Operations to allow detailed searching and analysis to help with root cause identification.


So what's the difference then?

While Operations Manager is focused on gathering raw performance data, checking things are running and available and capturing events, OpInsights is focused on taking information and applying machine learning algorithms and best practice analysis to it to provide forcasting, trending and
It can also be clearly seen that a couple of the solution packs in OpInsights actually require an Operations Manager infrastructure in place (Capacity Planning and Alerts) to gather the right type of information to analyse and you have two options for connecting servers to OpsInight in the first place;
  • Operations Manager Management Group Connection
  • Direct Server Attachment

The two solutions basically share the same agent (Microsoft Monitoring Agent) but have the two distinct connection methods.

For an environment with more than a few hundred servers, my personal approach would always be to deploy SCOM locally and use that to control deployment and management of agents and therefore use the SCOM management servers as "proxies" to OpInsights while it would certainly make more sense for smaller SMB customers with a handful of servers to use the direct connection method.

And this is where OpInsights could be seen as a replacement

Not so much a replacement, but an alternative... If you only had 10 Servers for example, that's a lot easier to manage through say Server Manager to see if it's up or down, it's unlikely you have a big team with delegated responsibilites for Exchange, SharePoint etc and you might not need the indepth
monitoring SCOM provides but would welcome an overview of your servers and some cool analytics and best practice recomendations would be welcomed.

Compliments to the Chef...

In essence, both of these solutions are complimentary to each other.
Operations Manager is and will be for the foreseeable future the best solution for monitoring and managing your infrastructure at a granular level and is extensible in a much greater way than OpInsights can be (scoped tasks and delgated administration for example) but Operations Manager doesn't have the raw analytics and pattern detections that OpInsights can leverage from Azure and therefore provides a new level of informational view of your infrastructure.

In short, no, OpInisghts isn't a replacement to Operations Manager. It's a new solution for sure, yes it can be used standalone but with a break point in usefullness without Operations Manager.
But if you haven't tried it yet, go do so NOW!
There's a basic free tier meaning you can try this without risk and you'll undoubtedly fall in love with the service very quickly like I have, as have the customers I've shown it to and onboarded to it.

Go here to signup now:

Monday 4 May 2015

RIP Orchestrator, Long Live Azure Automation!

We've known for a while now that Microsoft were planning to deprecate Orchestrator in System Center vNext, see the Automation Roadmap in the Next Release of System Center, Azure Pack and Microsoft Azure session from Teched Europe 2014 -

During that session (about 34mins) we were shown a very brief glance of the new azure portal with Azure Automation present inside it with the promise that it would be developed in Azure first and then brought back on premise.

Azure Automation and it's on-premise father SMA (SMA came first!) are both already available and in use, but both of these were basically management portals for importing, managing and scheduling PowerShell Workflow scripts.

The biggest draw for Orchestrator, for me, was the GUI. This enabled non-Devs or IT Pros who weren't hard core to get to grips with designing graphical process workflow automations and the idea that we would be left with everyone having to dive into deep scripting to even get the simple tasks done was certainly daunting, especially as I see Orchestrator being regularly used in conjunction with the Service Desk teams where that skill is usually not present.

Well today, we see where Microsoft have been aiming to go with this.

Azure Automation

From the new preview Azure Portal we can now access any existing Azure Automation accounts that were previously created, or create a new one.

The first new cool feature is Assets.

This now gives us the ability to centrally control and reuse within our Runbooks:
  • Schedules - When Runbooks should run
  • Modules - Ability to upload PowerShell modules for use within Runbooks
  • Connections - Currently just to Azure but more will come
  • Certificates
  • Variables
  • Credentials


And now the thing that you've been waiting for... Graphical Editing!!

This GUI based editing allows you to place CmdLets, Runbooks, Assets and Controls into the workflow and arrange them in the logical order that's right and then configure parameters etc.

I'm going to be doing some deeper diving into this starting from now so watch out for more info.

However, the fun doesn't stop there!

From that TechEd Europe session, it was also mentioned that the approach would be one of consistency across Azure and On-premise, so expect these features to be coming with vNext of WAP and Orchestrator/SMA/Whatever name it ends up with.

We're also being treated to a new management layer for PowerShell Desired State Configuration.

You see this option when you choose an optional extension to add and configure when deploying a new VM into Azure.
Using Azure Automation you will be able to author new DSC resources (and import existing) and use a cloud based Azure Automation DSC Pull Server which you target nodes (cloud and on-prem) will then use to get and report their configuration to.

Here comes the curve ball...

While some customers will undoubtedly require a fully On-Premise version, be it for secure isolated environments, regulation or whatever reason, with this announcement of enhanced Automation via the new Azure Portal also comes another very interesting scenario...

Hybrid Automation

With these new features now comes the ability to utilise On-Premise Runbook Workers.
This allows for creation and management of automation via the Azure Portal and Azure Automation service, but to selectively choose to run some Runbooks On-Premise, negating the need to design scripts to reach back into our environments and also having to expose systems out to the wider world and instead use a server sat within our network boundary to execute the automation Runbook and simply report it's execution back to your Azure subscription.

This requires use of the newly announced Microsoft Operations Management Suite (More details here) and through adding the Automation Solution to allow configuration of an On-Premise Runbook Worker server.

Once you've added the Automation Solution pack and have the target server installed with a Microsoft Management Agent and connected to the service, it will be a simple case of running some PowerShell commands (e.g. Add-HybridRegistration, Add-HybridRunbookWorker) to enable it as a Hybrid worker for you to start using it.

I'll have some more posts soon running through setup etc.

Microsoft Operations Management Suite

While we always knew that things in Preview are subject to change, this is quite a change...

In the beginning...

Way back when, we had a service called System Center Advisor, designed to give us proactive information regarding our configuration and best practice advise.

This was recently evolved into a new service named Operational Insights. This gave us a much more enhanced version of advisor with the ability to add Intelligence Packs to extend it further with features such as Capacity Planning, Security and Audit and Change Tracking for example.

And now...

So just as we were expecting OpInsights to leave preview and go GA (it has today 4th May 2015) we also see some further changes.

The name has now changed to Microsoft Operations Management Suite for a start.
Not a name change, but rather an inclusion within the wider Microsoft Operations Management Suite (OMS) very much like Intune is a part of EMS. I just expect people will refer to it as OMS.

But that's not where it ends.

We still have the Intelligence Packs from Preview, although these are now called Solutions, but we also have a few more goodies.
  • Backup - Manage Azure IaaS VM backup and Windows Server backup status for your backup vault
  • Azure Site Recovery - Monitor virtual machine replication status for your Azure Site Recovery Vault.
  • Automation - Automate time consuming and frequently repeated tasks in the cloud and on-premise.
N.B. You can check this post for more info on the Automation solution.

The thought process behind this is to start to pull together the collection of management services that Microsoft offers and give that "Single Pane of Glass" view into your environment.


The service isn't just for managing your Cloud infrastructure, it's designed for Hybrid Management with the ability to take data for the OpInsights part from either direct connected clients (Microsoft Monitoring Agent for Windows and soon Linux) or agents connected as part of a System Center 2012 R2 Operations Manager connected Management Group.

In fact, it really doesn't matter where your infrastructure is sitting, Azure, AWS, OpenStack, On-Premise, it just doesn't matter.  It's all about centralising your management to make it easier.
We also see the inclusion of managing services such as Azure Site Recovery Manager and Azure Backup which may be protecting on-premise servers.
Along with the new Azure Automation capabilities which also bring the new Hybrid Runbook Worker role with it.

Get Going Now...

The best thing about this, is there is a basic "free" plan meaning you can start evaluating and using this now, for no outlay and simply expand as required later.
If you haven't already, signup for an Azure subscription and then add a new Operational Insights subscription and workspace.
At time of writing, this still says "Coming Soon..." from the new portal
But you can add this from the original portal


The future on it's way

I'm going to make a prediction now, this is based purely on speculation and nothing that I'm privy to.
If I was a betting man I would hazard the guess that this gives Microsoft a very easy, centralised platform where they can very quickly turn on new management features and expand out the On-Premise System Center solutions to deliver new and exciting scenarios.
I would certainly pay attention to this service and, I for one, am excited to see where they drive it.
For example, I would love to see Intune integrated.