Happy New Year, 2013!
We kick off the year by lining up our most asked for classes in Deployment and Systems Management. If you are one of many that have rolling out new clients as the main objective in 2013 or implement System Center 2012 we have what it takes to be ready:
First out is the MVP Combo class with Johan Arwidmark and Kent Agerlund “MVP Combo Pack – The ultimate MDT 2012 and System Center 2012 Configuration Manager SP1”. Five packed days with two of the most acclaimed MVP’s in the System Center and Deployment area. This is the only class that will give you the needed skills of System Center 2012 Configuration Manager SP1 and the
MDT 2012 Update 1.
If you want to focus 100% on Windows deployment and want to learn from the expert before rollout, then I recommend the “Mastering Windows 7&8 Deployment using MDT 2012 and ConfigMgr2012 SP1”. A unique 4 day class with Mikael Nystrom (Microsoft MVP) in which you get to choose which method you want to use; Lite Touch (MDT only) or Zero Touch (MDT and ConfigMgr) deployment. As always with our labs; this is a hand’s on lab with learning by doing using real life scenarios with an experienced consultant.
Geek Week ll – System Center 2012! This is our flagship training with Johan and Mikael at the helm. Five jam packed days in which you get to build a full System Center 2012 environment, deploy Windows Server & Client, run Hyper V and much, much more. We run it in the heart of Windows land on the Microsoft campus. You get to hang out with Johan & Mike from early mornings to late evenings as they stay in the same hotel as you. As a result many technical problems has had its solutions presented in the evening sessions at the bar area…..but wait there is more:
In this short letter, Mikael and Kent share some wisdom on Hydration kit as well as a first look at Secunia CSI 6
Use Hydration kit
The main reason to use a Hydration solution is to get somewhere in no time at all. It is the perfect solution if you need to evaluate, test, demo or just play around with, without going through the very time consuming process of learning it all from ground up. Imaging that you can build an entire infrastructure with Windows Server 2012 as a Domain Controller, DHCP, DNS and then just for fun you deploy a SCCM 2012 SP1, SCOR 2012 SP1, a couple of clients while you are watching a block buster movie, when the movie is done, so is your LAB, ready to play with. That is hydration!
You find my Hydration Kit V3 here.
First look at the Secunia CSI 6.0 SCCM Plug-in
A few years ago I wrote a blog posts on Microsoft SCUP and Secunia CSI 5.0. Back then my conclusion was that Secunia had a superb security database but required a custom agent and didn’t have an easy Configuration Manager Console integration. With the latest release of Secunia CSI those “obstacles” are removed and the solution looks very promising. In this, my first test drive of the product, I will see how quickly I can install the solution and start patching my environment.
CSI requires that you first install the CSI administrator console and then the CSI SCCM plug-in. The installation process takes less than 1 minute and is straight out-of-the-box. You can download a free evaluation copy from http://secunia.com/vulnerability_scanning/corporate/sccm_plugin/
Configure WSUS and Configuration Manager Integration
In order to configure the integration you need to do a few things first, like configuring WSUS, create or configure the self-signed certificate and deploy the certificate. CSI allows you to configure all of these settings with a simple wizard. The wizard is perfect for lab environments and small business but also allow mid-sized and enterprise organizations the flexibility to configure their own settings.
1. Launch the Secunia CSI console as Administrator (if not the wizard will present you with an error when creating the GPO), select Patching, Configuration, WSUS/SCCM (Disconnected).
2. Click Configure Upstream Server
3. Fill in the WSUS server name along with the Port and click Connect. Once successfully connected, click Next.
4. On the Configure Signing Certificate click Automatically Create and Install certificate. This will create a WSUS self-signing certificate on the server which you need to deploy to all clients.
5. On the final step select Use SCCM to distribute packages and click Create Group Policy. This will create a WSUS-CSI GPO with the required configurations. Even if you like to create your own GPO’s, it’s still nice to have them created correctly for you.
6. The Domain joined WSUS-CSI GPO configures the self-signed certificate and configures clients to trust updates that are signed with the certificate.
We need to deliver compliance information to Secunia before updates will be made available. The compliance data can be delivered using one of the four different scanning solutions.
1. Install a Secunia scan agent on the host. The agent is a very lightweight agent and has a minimum impact on the client.
2. Perform an “Over the air network scan”.
3. Configure the Software Inventory agent setting in ConfigMgr. to scan for Exe, .DLL and OCX files.
4. Create a package in ConfigMgr with the scanning agent and run the package on a schedule.
In this test drive I will use the software inventory information from my ConfigMgr. clients.
1. To configure the Software Inventory settings open the Configuration Manager console, select the Administration workspace, select Client Settings and either configure a new custom device setting or modify an existing setting.
2. Next open the Secunia management console and navigate to, Scanning, SCCM Inventory Import and click Configure SCCM.
3. Fill in the Site server name and click Save. Secunia will connect to ConfigMgr. and import all clients from the SQL database. For Enterprise companies this process can easily take a little while. If the process seems to be too time consuming; remember that also have other scanning options like installing the Secunia client on selected clients.
4. Select the number of hosts and initiate a scan by clicking Scan Selected Hosts. The scan process will scan the imported data for compliance against the Secunia database.
Approving and deploying patches can be performed from within the CSI console or in the ConfigMgr. console using the CSI plug-in. The plug-in is creating a Secunia folder in Software Library from where you can configure WSUS settings and see a list of all insecure applications in the environment.
To deploy a patch do the following
1. Right click the insecure application and select Create Update Package
2. Click Next or import an existing SPS package.
3. Click Next (notice that you can make the update Always installable, this will allow clients who do not have the application to install it).
4. On the last page; click Publish.
5. Once the package is created and published click OK
6. After the next WSUS synchronization the updates will appear in Software Updates all ready for deployment
You might wonder why you have to go thru a 4 page wizard to deploy an update. To me, it’s all about control and having the flexibility to do almost whatever I want. This scenario is fairly simple, but there could be other scenarios where you might want to uninstall several older versions of the application before start to deploy the new version.
Deployment Geek Week with Johan Arwidmark and Mikael Nystrom
MVP Combo-The ultimate MDT2012 and ConfigMgr2012 training
with Johan Arwidmark and Kent Agerlund
| Mastering Windows 7&8 deployment using MDT 2012 and ConfigMgr with Mikael Nystrom
|| February 4
Full schedule at http://www.truesec.com