Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

System Center Configuration Manager for WS2K8 Released

By Scott M. Fulton, III, BetaNews

August 27, 2007, 5:41 PM

What may eventually be considered one of the most useful and welcome new features for admins has finally been officially released by Microsoft. Today, the company announced that System Center Configuration Manager has officially "released to manufacturing." A 120-day trial evaluation version appeared on Microsoft TechNet this morning.

SCCM is the replacement for Systems Management Server 2003 R2, and its purpose is to enable an administrator from a central location to manage and configure operating systems remotely. This new version makes feasible an innovative method of deployment, which is actually already under way for Windows Vista: You can build your own "distribution image" of an operating system, complete with the applications and settings specific to your organization, and distribute it through your network for remote installation.

Another critical new feature is network access protection (NAP), which lets you set up a scheme whereby systems (including notebooks) cannot gain full access to your network until they meet certain "health" criteria that you specify. SCCM then sets up a process whereby those systems can "get healthy" before logging in.

Typically at this point, I'd provide a link to my description of this new Windows Server feature on InformIT's Windows Server Reference Guide, but that page was offline due to technical difficulties today. At any rate, UPDATE: The InformIT server's back up, so my full article on SCCM appears here. Here's how I described NAP last April:

Here's how NAP works: The management server contacts Windows Update and other online distribution points for updated software. In learning about these updates, the SCCM software on the management server activates a wizard, which will of course require your intervention. Using this wizard, SCCM builds a series of policies whose rules govern whether non-updated systems have full or restricted network access. Those policies are distributed to the remediation server.

When a client seeks a DHCP server, under Longhorn, it provides that server with a kind of signature that represents its "health." Under Microsoft parlance, a non-updated client is relatively unhealthy (although in practice, the update can sometimes cause the problem, which is why it's necessary that you know your updates thoroughly as you're using the SCCM wizard).

The DHCP server runs the health certificate by the SCCM policy manager to see whether the client is healthy enough to be granted access. If the certificate fails this test, the DHCP server places the client on a kind of quarantine. It can access the remediation server, but not much else. The remediation server "heals" the client with the updates, then the client requests access again. If the health certificate passes the test the second time around, all is forgiven.

UPDATE - Microsoft Senior Technical Product Manager for SCCM 2007 Jeff Wettlaufer wrote BetaNews on Wednesday to remind us that the new edition is not just for Windows Server 2008. Our headline for this story may have given that implication, so we stand corrected. The new edition also works with Windows Server 2003 R2.

Add a Comment (2 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Henry Kinney

posted Sep 11, 2007 - 12:26 PM

Nice. I am thrilled looking forward to what Scriptlogic will announce with its next version of Desktop Authority. The current version I use supports Vista since April and I especially love its remote management feature. For a few days after I installed Vista in our rooms and deployed Desktop Authority to my server, I was on cloud nine. There were talks here and there saying it's impossible to control Windows Vista remotely due to a change in the model of how Vista's winlogon monitors the secure attention sequence (SAS) events. Some sources were saying that functionality is possible to (partially, for some Vista editions) enable using some techniques that requires manually making low-level changes such as installing an additional driver to a remote computer, changing domain group policy and so on. I was really afraid of that as I didn't want to lose control on our remote office when deploying a completely new operating systems to there. As it often the case you never know what can cripple your environment when you are dealing with operations that change the behavior of your system. You can imagine how I was surprised with Desktop Authority's remote manager when I realized that it works with Vista as smoothly as it works with our old NT4 and I can send Ctrl+Alt+Del sequence to Vista computers without performing any additional steps to them. It's functionality to blank remote screen is sweet.
The Network Access Platform is a great thing and I expect it will strengthen the overall security status. But the main NAP's purpose, in general, is to control computer's access and limit their access to your main network and/or update them with updates if they do not comply with the required policies. The problem is that it is supported on Windows Vista, Windows Server 2008 and Windows XP SP3 where the latter two are not released so far. (Although as far as I remember the rumors were that it was expected the client to be included in Windows XP SP2). For the time being I use a similar approach using Desktop Authority's built-in functionality-known as validation logic-to specify which security settings should be applied to which computer, based on the Active Directory information such as the container the machine is contained in, network interface information and device management functionality. The latter two I found helpful to control access to our network for our mobile users as it allows me to quickly define which persons should have which type of rights according to the information like where they have been logged from. Basically, I just define external, internal and some additional policies using rules that determine if this particular user can use Wi-Fi or Bluetooth ports ini his mobile or not. If the user belongs to the group that should have restricted access, I just disable the use of Wi-Fi/Bluetooth/Infrared/USB ports while he's working in corporate network. The best thing for USB ports for example, is that it's possible to forbid writing to the flash memory stick drive but allow using USB mice, keyboards or even those very USB drives only http://www.scriptlogic.c...usb-device-lockdown.asp that for now user will only be able to read from the drive. That's far more flexible then playing with administrative templates.
Additional info about the NAP can be found here http://blogs.technet.com/nap/default.aspx

Score: 0

By rodtrent

posted Aug 27, 2007 - 6:48 PM

It was announced on Friday in the lead PM's blog:

http://myitforum.com/cs2...-left-the-building.aspx

Score: 0

Aug 28 - 6:20 PM ET Where does Barack Obama stand on technology issues?

Aug 28 - 5:29 PM ET Comcast to deploy 250 GB/month usage caps in October

Aug 28 - 4:48 PM ET Microsoft and Nikon ink deal around digital, perhaps wireless, cameras

Aug 28 - 4:21 PM ET WB network returns as Web site

Aug 28 - 4:11 PM ET Paid Google ad appears to state McCain picked Lieberman

Aug 28 - 4:06 PM ET Blogger arrested for leaking Guns N' Roses MP3s

Aug 28 - 3:29 PM ET Competitors look to take on MobileMe for iPhone

Aug 28 - 12:45 PM ET Russia to get iPhone 3G through VimpelCom

Aug 28 - 12:42 PM ET Deeper inside IE8 Beta 2

Aug 28 - 12:22 PM ET Orange France admits to capping iPhone 3G speeds