Introduction to Configuration Manager 2012 (Part 6)

by [Published on 25 Oct. 2012 / Last Updated on 25 Oct. 2012]

In this part of our article series we’ll continue our look into client settings.

If you would like to read the other parts in this article series please go to:

Introduction

With the release of System Center 2012, Microsoft also released a new version of Configuration Manager 2012.

Part 1: We went through a complete installation of System Center 2012 Configuration Manager and, by the end of the article, had a fully operational system.

Part 2: We began investigating the new features and the console.

Part 3: We explored the discovery process.

Part 4: You started learned about the various client settings available to you.

In part 5 and this part 6, we’ll continue our look into client settings.

Client Settings

Client settings are a crucial aspect of System Center Configuration Manager 2012. In older versions of SCCM, these were called client agents, but they still serve the same purpose in SCCM 2012. These settings control how the managed clients in SCCM 2012 will operate. In this article series, we’ll go through each and every client setting and explain in detail the parameters that you can adjust.

Endpoint Protection

In previous versions of SCCM, adding support for what used to be called Forefront Endpoint Protection involved a series of steps that extended SCCM to be able to act as the central monitoring host for the Forefront Endpoint Protection antimalware tool. In SCCM 2012, support for the renamed System Center Endpoint Protection antimalware tool is built right into the product and there is a client setting providing administrators with a means to control how the Endpoint Protection installation will take place.


Figure 6: Endpoint Protection settings

  • Manage Endpoint Protection on client computers. Selecting this option indicates that you wish to centrally manage Endpoint Protection from within the SCCM console.
  • Install Endpoint Protection client on client computers. If System Center Endpoint Protection is not yet installed, changing this option to True will install Endpoint Protection on client computers.
  • Automatically remove previously installed antimalware software before Endpoint Protection is installed. Endpoint Protection has the ability to uninstall some third party antimalware tools, including:
    • Symantec AntiVirus Corporate Edition version 10
    • Symantec Endpoint Protection version 11
    • Symantec Endpoint Protection Small Business Edition version 12
    • McAfee VirusScan Enterprise version 8
    • Trend Micro OfficeScan
    • Microsoft Forefront Codename Stirling Beta 2 or Beta 3
    • Microsoft Forefront Client Security v1
    • Microsoft Security Essentials v1 or 2010
    • Microsoft Forefront Endpoint Protection 2010
    • Microsoft Security Center Online v1
  • Suppress any required computer restarts after the installed Endpoint Protection client is installed. The Endpoint Protection installation does not respect maintenance windows established for clients. Therefore, if the Endpoint Protection installation requires a system restart, the system will restart at any time of day. To prevent this, enable this option.
  • Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours). If the previous option is set to False, administrators can allow users to postpone a restart for a number of hours configured here.
  • Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers. The initial Endpoint Protection deployment can be an impactful event since the software needs to be deployed and new definitions downloaded immediately. You can configure this option to reduce the overall impact by forcing clients to use just the SCCM server for initial definition updates.

Hardware Inventory

The hardware inventory client setting controls how clients perform local hardware inventories and submit the information back to SCCM. Before discussing the hardware inventory, make sure you understand what is meant by the term “MIF file.”

Management Information Files (MIF) are used by SCCM and clients to exchange hardware information. Administrators can extend SCCM’s hardware collection capabilities by using MIF files to supplement what SCCM captures by default. However, you can also use the SCCM client settings configuration area to extend the information that SCCM captures by default.

To learn more about MIF, visit this page.


Figure 7: Software Inventory settings

  • Enable hardware inventory on clients. Directs clients to begin collecting local hardware information based on information configured here.
  • Hardware inventory schedule. How often should a client perform a hardware scan and return information to an SCCM server?
  • Maximum custom MIF file size (KB). A range of 1 KN to 5,000 KB is required here. This field indicates the maximum MIF file size that SCCM will process. If a file is returned from a client and it’s larger than this setting, the file will be ignored.
  • Hardware inventory classes. Administrators can choose to collect all kinds of information from client hardware. You can see some of these in the screenshot above. Simply select the hardware classes that you’d like to collection. The next time that the client performs a policy retrieval, it will be updated to include the new classes.
  • Collect MIF files.
    • None. Do not collect any MIF files from clients.
    • Collect IDMIF files. IDMIF files are ones that contain inventory information from devices that are not managed by Configuration Manager. Select this option to collect IDMIF files from clients.
    • Collect NOIDMIF files. NOIDMIF files are ones that contain hardware information that can’t be inventoried directly by Configuration Manager. Select this option to collect NOIDMIF files from clients.
    • Collect IDMP and NOIDMIF files. Collect both kinds of files from clients.

Network Access Protection (NAP)

The Network Access Protection client agent scans a local machine and sends the results of the scan to a System Health Validator Point. This SCCM capability requires that organizations have an existing Network Access Protection architecture already in place. Systems that do not comply with baselines may not be able to connect to the network until the situation is remediated.


Figure 9: Network Access Protection settings

  • Enable Network Access Protection on clients. When enabled, client software updates are scanned and the results sent to a System Health Validator Point (SHVP).
  • Use UTC (Coordinated Universal Time) for evaluation time. Indicate whether local time and UTC time should be used for evaluation.
  • Require a new scan for each evaluation. A False setting allows a client to return to the SHVP the cached result from the most recent scan while a True setting requires a new and current full scan.
  • NAP re-evaluation schedule. Determines how often the client’s status should be re-evaluated.

Power Management

Power management capabilities were added to SCCM in a recent edition of a previous version, but they’re included in full force in SCCM 2012. Power management can be used to create policies, which, once applied to clients, can begin to save the company money.


Figure 10: Power Management settings

  • Allow power management of devices. Allows SCCM to manage power settings in managed devices.
  • Allow users to exclude their device from power management. SCCM is a user-focused product. As such, administrators can choose to allow users to opt out of centrally-enforced power management by changing this setting to True.

Summary

As you are continuing to see, there are a number of options associated with each client setting. Administrators can adjust these options to control client behavior in the environment. In the next part of this series, we’ll continue our look at client settings.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links