Tuesday, November 19, 2013

SCCM 2012 - Enable Asset Intelligence

In this segment I am going to go over Asset Intelligence. AI is quite useful for keeping track of the assets within your environment including hardware and software inventory as well as licensing. When it comes time for true-up this can be quite beneficial. This information can be utilized via console and in reporting. There are a number of configuration steps before you can use Asset Intelligence in SCCM 2012.

Enable Asset Intelligence Hardware Inventory Reporting Classes:
First we need to enable AI hardware inventory classes. In the Administration Space Click on Client Settings then highlight Default Client Settings. Right Click on it and Select Properties. In the Default Settings dialogue box Click Hardware Inventory. Set Enable hardware inventory on classes to Yes. You can adjust the inventory schedule as required or leave it set as the default.

Note: It is recommend to run the scans off hours or on the weekends when system resource utilization is lower as the scans can consume quite a bit of processor.

Click Set Classes

In the Hardware Inventory Classes you can adjust what items you wish to collect data on from any number of possible items. For additional information regarding the classes refer to the Technet article on them. Click OK then Click OK again.

Now we need to enable Inventory Reporting Classes. In the Asset and Compliance space Select Asset Intelligence. On the Home Tab Click Edit Inventory Classes. When the Edit Inventory Classes opens Select Enable all Asset Intelligence reporting classes or you can select individual classes.
Note: If you intend to enable the Hardware Inventory Client Agent to inventory the information required to support these reports, SMS_SystemConsoleUser must be checked

If you chose to enable all classes you will get a prompt warning you to about client system resources during the scan. Click Yes

Install Asset Intelligence Synchronization Point:
Next we need to install AI. In the Administration Space expand Site Configuration then highlight Sites. Select the site server you want to install AI on and Right Click and select Add Site System Roles. By now you should be all to familiar with the Add Site System Roles Wizard. Add the server name if not already present then select the Site code. Click Next

Add proxy information if required. Click Next

Select Asset Intelligence synchronization point. Click Next

By default, the Use this Asset Intelligence Synchronization Point setting is selected and cannot be configured on this page. System Center Online accepts network traffic only over TCP port 443, therefore the SSL port number setting cannot be configured on this page of the wizard. Click Next

You can modify the synchronization schedule as required. Keep in mind to run scans in off hours if at all possible. Click Next

Verify your settings and Click Next

You should get a success page. Click Close

Enable Auditing of Success Logon Events:
In order for AI to display information gathered from Windows Security event logs on client computers in reporting you need to enable audit logging. If it is not enabled these reports would contain no data even if the appropriate hardware inventory reporting class is enabled.

Note: The following actions will need to be performed by someone with Domain Administrator level access in Active Directory.

On your domain controller open Group Policy Management Editor. Find the SCCM policy that you created before you did the SCCM installation, Right Click and Edit (you can create a new policy if you prefer but I like to keep all my related policies together like this). Expand out Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. Double Click on Audit Logon Events. Check Define these policy settings and then Check Success. Click Apply

Import Software License Information:
The Import Software License Wizard is used to import Microsoft Volume Licensing (MVLS) information and general license statements into the Asset Intelligence catalog. The MVLS license statement contains information about the license entitlements, or number of purchased licenses, for Microsoft products. A general license statement contains information about the purchased licenses for any publisher.

Note: The site server computer account needs Full Control permissions for the NTFS file system to the file share that is used to import software license information. 

One thing to keep in mind when importing license information. Existing software license information is overwritten so ensure that the information file that you use when you do the import contains a complete listing of all necessary data. This will only update information in the license file, not any other data.

In the Assets and Compliance space Click Asset Intelligence. On the home tab Click Import Software Licenses. The Import Software License Wizard will start up. Click Next

There are two possibilities to chose from here. Microsoft Volume License Statement and General License Statement.

Microsoft Volume License Statement
The first is for importing Microsoft related product volume licenses (duh). The easiest way to gather this data is to pull it directly from the Microsoft partner website.

Open up Excel (any version), rename Sheet 1 to License Data then delete sheets 2 & 3. In the Ribbon Select Data then Click From Web. Navigate to https://licensing.microsoft.com/ and enter in your Windows Live ID. Once you are logged in Click View your license summary, click the box to Select License Data then Click Import. Click OK. You will need to remove the first column then save the file as a normal .xlsx file for future reference. Then save the file as an .xml file to the NTFS share discussed previously.

General License Statement
A General License Statement is used for all non Microsoft related products you have in AI and will need to be saved as a .csv file only.

Open up Excel (any version), rename Sheet 1 to License Data then delete sheets 2 & 3. In Row 1 Column A enter the following (each in a new column). Green items are required for all software on the list, the rest are not, but I leave them in there so I can remember the place holders and its nice to input the data if it is available.

  • Name
  • Publisher
  • Version
  • Language
  • EffectiveQuantity
  • PONumber
  • ResellerName
  • DateOfPurchase
  • SupportPurchased
  • SupportExpirationDate
  • Comments
Now that we have our 11 columns labeled we can add in the software information in row 2 down (as needed). The software names need to match up exactly to what you see in Inventoried Software, otherwise you will get an error when inputting data. Save the file as .cvs to the NTFS share discussed previously.

Now that we have our license file created select Microsoft or General depending on your need and browse to the file. Click Next

You will get a summary, Click Next

Once you have success Click Close

Configure Asset Intelligence Maintenance Tasks:
There are two types of Maintenance tasks available in AI. Check Application Title With Inventory Information and Summarize Installed Software Data

Check Application Title With Inventory Information
This maintenance task checks that the software title that is reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. By default, this task is enabled and scheduled to run on Saturday after 12:00 A.M. and before 5:00 A.M. This maintenance task is only available at the top-level site in your Configuration Manager hierarchy.

Summarize Installed Software Data (Available only on Primary Sites)
This maintenance task provides the information that is displayed in the Assets and Compliance workspace, in the Inventoried Software node, under the Asset Intelligence node. When the task runs, Configuration Manager gathers a count for all inventoried software titles at the primary site. By default, this task is enabled and scheduled to run every day after 12:00 A.M. and before 5:00 A.M. This maintenance task is available only on primary sites.

Go to the Administration Space, Expand Site Configuration then Click Sites. Highlight the server that has AI installed on it and and on the Home tab Click Site Maintenance

Locate Check Application Title With Inventory Information and Click Edit

Check Enable this task and set the schedule appropriate for your environment. Click OK

Summarize Installed Software Data (Available only on Primary Sites)Click Edit

Check Enable this task and set the schedule appropriate for your environment. Click OK

Congratulations Asset Intelligence is now up and running

More to come!

Like this blog, give it a g+1

Monday, November 18, 2013

SCCM 2012 - Deploying Distribution Points.

So in this segment I want to go over the process of setting up Distribution Points. DP's are helpful when you have an offsite office that has slow bandwidth to the hierarchy. You can distribute OS images and software packages through a DP which will reduce latency and bandwidth consumption. You replicate packages to the DP over the WAN once and the respective clients pull it from the local DP over the LAN.

Setting up a DP is fairly straight forward, but there are a couple things that need to be done prior to the install. First you need to add the SCCM Admin account and the SCCM Site Server account to local administrators on the machine you will be making a DP. Otherwise you will get permissions errors during install.

Next, if you are running a local firewall and plan on enabling PXE support on this DP you will need to open the following ports on the new Distribution Point, otherwise they will not be able to connect.
  • UDP Port 67 
  • UDP Port 68
  • UDP Port 69
  • UDP Port 4011
Note: Operating System installation utilizes UDP Port 69

So once we have the previous steps completed lets move to the installation. In the SCCM console go to the Administration space and expand Site Configuration. Select Servers and Site System Roles then Click Create Site System Server.

The Create Site System Server Wizard will open. Enter the name of the server you wish to add this role to, you can browse as well. Then select the Site it will be reporting to. Click Next

Enter proxy information as required. Click Next

Select Distribution Point and Click Next

Check Install and configure IIS if required by Configuration Manager. You can also choose between HTTP and HTTPS depending on your environmental requirements. If you have an existing certificate you can use that, otherwise Click Next

For drive settings you can use an alternate drive or leave the setting as Automatic which will create the catalog folders (discussed later) on the c:\ drive. Depending on the size of the c:\ drive and the number of software packages you may want to use an alternate drive. Click Next

You can specify if you want this Distribution Point to pull content from other DP's in your hierarchy or only from CAS, Primary or Secondary site servers. Click Next 

If you wish to use PXE Support Check Enable PXE support for clients. You will be prompted to open firewall ports which was discussed previously. Click Yes to the prompt.

You now want to select Allow this distribution point to respond to incoming PXE requests. Since we are dealing with a small environment I unchecked require a password when computers use PXE (this can be changed later). Click Next

Now you can choose if you want to allow multicast. Multicast gives you the ability to disseminate package data to multiple clients simultaneously. You can select the number of clients and throttle data accordingly. If you are in a small office with limited bandwidth you may not want to enable this option.

Content validation can be helpful if you are going through a lot of changes with the software packages in your environment. It verifies with the site server on a scheduled basis to confirm content. Click Next

Define the respecitve boundary group for this server and Click Next

Review the install settings you selected and Click Next

You should get a success. Click Close

You can monitor the installation status of the DP if you go to the Monitoring space, expand Distribution Status and Click Distribution Point Configuration Status. Find the newly created DP and highlight it. In the bottom viewing pane you will see installation progress. You may see a few Failed to connect to remote distribution point errors initially. This is normal. What you are looking for is Distribution Point installation\upgrade successfully completed. If you get other errors you can highlight them and select More Details
After the install completes the Primary server will request a synchronization. This may take some time depending on how many install packages you have in your environment.

To further validate the install you can go to the newly created DP and go to the location you chose for install catalog directories (c:\ in our case) and you should see the following folders. You will also see the newly created inetpub folder.

More to come!

Like this blog, give it a g+1

Tuesday, November 12, 2013

SCCM 2012 - Changing SUP Settings

In WSUS & Software Update Point we covered how to install and setup WSUS and SUP. In that segment I recommended we skip selecting any products as it would increase the amount of time it takes to complete the first sync. In this Segment I will show you how to go back and add products in manually and do another sync with the newly selected products.

Adjusting these settings is actually quite simple. Once you have SUP installed go to the Administration Space, expand out Site Configuration then Click Sites. Highlight the server you installed SUP on and Click Configure Site Components then Software Update Point.

From here you can adjust the Software Update Point Component Properties. In Sync Settings you can modify the upstream location for this SUP. Unless you are adding another server in your enterprise to handle the top level sync I wouldn't change this setting.

In Classifications you can add new or remove Classifications as needed. Remember, if you plan to deploy Endpoint Protection you need to keep Definition Updates.

In Products you can add all relevant products to your environment or remove outdated items so they don't continue to take up storage space.

In Sync Schedule you can modify when you do an upstream sync.

On the Supersedence Rules you can modify when updates are removed once they have been superseded.

In languages you can add new languages as needed.

Once you have gone through and added all of the new Products needed in your environment you can do a manual sync or wait for the scheduled sync. If you want to do it right away go to the Software Library and expand Software Updates. Highlight All Software Updates and Click Synchronize Software Updates.

More to come!

Like this blog, give it a g+1

Monday, November 11, 2013

SCOM 2012 - Configure ACS Reporting

In Deploying ACS we discussed how to install and configure Audit Collection Services. Now we will discuss how to setup the reporting services for ACS so you can utilize the compiled data in a useful way. This requires that you have Reporting Services installed either locally or on a remote machine. If you have not setup Reporting Services refer back to my previous segment SCOM 2012 - Web & Reporting Services Install.

So the first thing we need to do is create a temp folder called c:\ACS. This will be deleted later but it will hold the install files. Next copy the contents of \ReportModels\ACS to the newly created temp ACS folder. In this folder there should be an .exe called ReportingConfig.exe. If it is not there go to \SupportTools and find it under your respective processor. Copy the file back to c:\ACS.

The contents should look like this:

From an administrative command prompt, run the following command:
UploadAuditReports "<AuditDBServer\Instance>" "<Reporting Server URL>" "<path of the copied acs folder>"

For example: UploadAuditReports "myAuditDbServer\Instance1" "http://myReportServer/ReportServer$instance1" "C:\acs"

This example creates a new data source called Db Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the acs\reports directory.

Once you get back to a command prompt you can close this window. Open up a web browser and navigate to your reporting page. It should be http://servername/reports_instancename. You will see the newly created Audit Reports. Click on it.

In Audit Reports change the sort to Details View

Right Click on DB Audit and Manage

Make sure Windows integrated security is selected and Test Connect. If you are able to connect Click Apply

Back in the SCOM console go into the Reporting Space. You should see the new Audit Reports Section.

Note: You may have to close the console and re-open it for this to to take effect. 

You can now remove the c:\ACS folder as it is no longer needed.

More to come!

If you like this blog give it a g+1