1. SCCM 2016 ( ) Overview
The following are the primary management capabilities of System Center Configuration Manager. Each capability has its own prerequisites, and the capabilities that you want to use might influence the design and implementation of your Configuration Manager hierarchy. For example, if you want to deploy software to devices in your hierarchy, you must install the distribution point site system role.
For more information about how to plan and install Configuration Manager to support these management capabilities in your environment, see Get ready for System Center Configuration Manager.
Application management
Provides a set of tools and resources that can help you create, manage, deploy, and monitor applications to a range of different devices that you manage. Additionally, Configuration Manager provides you with tools that help you protect your company data in user's apps. See Introduction to application management.
Company resource access
Provides a set of tools and resources that enable you to give users in your organization access to data and applications from remote locations. These tools include Wi-Fi profiles, VPN profiles, certificate profiles, and conditional access to Exchange and SharePoint online. See Protect data and site infrastructure with System Center Configuration Manager and Manage access to services in System Center Configuration Manager.
Compliance settings
Provides a set of tools and resources that can help you to assess, track, and remediate the configuration compliance of client devices in the enterprise. Additionally, you can use compliance settings to configure a range of features and security settings on devices you manage. See Ensure device compliance with System Center Configuration Manager.
Endpoint Protection
Provides security, antimalware, and Windows Firewall management for computers in your enterprise. See Endpoint Protection in System Center Configuration Manager.
Inventory
Provides a set of tools to help identify and monitor assets:
Hardware inventory: Collects detailed information about the hardware of devices in your enterprise. See Introduction to hardware inventory in System Center Configuration Manager.
Software inventory: Collects and reports information about the files that are stored on client computers in your organization. See Introduction to software inventory in System Center Configuration Manager.
Asset Intelligence: Provides tools to collect inventory data and to monitor software license usage in your enterprise. See Introduction to Asset Intelligence in System Center Configuration Manager.
Mobile device management with Microsoft Intune
You can use Configuration Manager to manage iOS, Android (including Samsung KNOX Standard), Windows Phone, and Windows devices by using the Microsoft Intune service over the Internet.
Although you use the Intune service, management tasks are completed by using the service connection point site system role available through the Configuration Manager console. See Hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune.
On-premises Mobile Device Management
Enrolls and manages PCs and mobile devices by using the on-premises Configuration Manager infrastructure and management functionality built into the device platforms (instead of relying on a separately installed Configuration Manager client). Currently supports managing Windows 10 Enterprise and Windows 10 Mobile devices. See Manage mobile devices with on-premises infrastructure in System Center Configuration Manager.
Operating system deployment
Provides a tool to create operating system images. You can then use these images to deploy the operating systems to computers, by using PXE boot or bootable media such as a CD set, DVD, or USB flash drives. Note that this applies to computers that are managed by Configuration Manager, as well as unmanaged computers. See Introduction to operating system deployment in System Center Configuration Manager.
Power management
Provides a set of tools and resources that you can use to manage and monitor the power consumption of client computers in the enterprise. See Introduction to power management in System Center Configuration Manager.
Queries
Provides a tool to retrieve information about resources in your hierarchy and information about inventory data and status messages. You can then use this information for reporting, or for defining collections of devices or users for software deployment and configuration settings. See Introduction to queries in System Center Configuration Manager.
Remote connection profiles
Provides a set of tools and resources to help you to create, deploy, and monitor remote connection settings to devices in your organization. By deploying these settings, you minimize the effort required by users to connect to their computers on the corporate network. See Working with remote connection profiles in System Center Configuration Manager.
User data and profiles configuration items
User data and profiles configuration items in Configuration Manager contain settings that can manage folder redirection, offline files, and roaming profiles on computers that run Windows 8 and later for users in your hierarchy. See Working with user data and profiles configuration items in System Center Configuration Manager.
Remote control
Provides tools to remotely administer client computers from the Configuration Manager console. See Introduction to remote control in System Center Configuration Manager.
Reporting
Provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services from the Configuration Manager console. See Introduction to reporting in System Center Configuration Manager.
Software metering
Provides tools to monitor and collect software usage data from Configuration Manager clients. See Monitor app usage with software metering in System Center Configuration Manager.
Software updates
Provides a set of tools and resources that can help you manage, deploy, and monitor software updates in the enterprise. See Introduction to software updates in System Center Configuration Manager.

2. 10747D
SCCM 2016 R2
1: Overview of System Center 2016 R2 Configuration Manager
Administering and configuring System Center Configuration Manager 2016 R2 SP1
Topics:
Configuring and deploying SCCM 2016 R2
Data Querying using WQL and gathering collections 
Configuring Software and Hardware Inventory, asset intelligence and software metering.

3. Overview of the System Center 2016 Environment
10747D
Overview of the System Center 2016 Environment
1: Overview of System Center 2016 R2 Configuration Manager
Configuration Manager
Single admin console
Manage clients on
the organizational
network and the Internet

4. Overview of System Center 2016 R2
10747D
Overview of System Center 2016 R2
1: Overview of System Center 2016 R2 Configuration Manager
Asset management
Change management
Administrative features
Hardware and Software Inventory
Application Management
Compliance Settings
Role-Based Administration
Software Update Management
Power Management
Remote Management
Asset Intelligence
Client Health
Reporting
Software Metering
Operating System Deployment
Endpoint Protection
Monitoring
Content
Management

5. 10747D
SCCM Newer Features
1: Overview of System Center 2016 R2 Configuration Manager
Support for clients that run Windows 8, Windows 8.1, Windows RT, Windows 8.1 RT, Windows 10, iOS, Mac OS X, and Android
Support for Windows Server 2016 and Windows Server 2016 R2 to host site system roles
Support for SQL Server 2016 to host Configuration Manager databases
Support for merging of System Center 2016 R2 Configuration Manager hierarchies
New site system roles for the certificate registration point
Bulk reassignment of clients to alternate primary sites
Configuration Manager Windows PowerShell cmdlets
In-console monitoring of update installation status
Beginning with version 1610, when you install an update pack and monitor the installation in the console, there is a new phase: Post Installation. This phase includes status for tasks like restarting key services, and initialization of replication monitoring. (This phase is not available in the console until after your site updates to version 1610.) For more information about update installation status, see Install in-console updates.
Exclude clients from automatic upgrade
You can exclude Windows clients from getting upgraded with new versions of the client software. To do this, you include the client computers in a collection that is specified to be excluded from upgrade. Clients in the excluded collection ignore requests to update the client software. For more information, see Exclude Windows clients from upgrades.
Improvements for boundary groups
Version 1610 introduces important changes to boundary groups and how they work with distribution points. These changes can simplify the design of your content infrastructure, while giving you more control over how and when clients fallback to search additional distribution points as content source locations. This includes both on-premises and cloud-based distribution points. These improvements replace concepts and behaviors you might be familiar with (like configuring distribution points to be fast or slow). The new model should be easier to set up and maintain. These changes also lay the groundwork for future changes that will improve other site system roles you associate to boundary groups.
When you update to version 1610, the update converts your current boundary group configurations to fit the new model so that these changes do not disturb your existing content distribution configurations.
For more information, see Boundary groups.
Peer Cache for content distribution to clients
Beginning with version 1610, client Peer Cache helps you manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution for clients to share content with other clients, directly from their local cache.
After you deploy client settings that enable Peer Cache to a collection, members of that collection can act as a peer content source for other clients in the same boundary group.
You can also use the new Client Data Sources dashboard to understand the use of Peer Cache content sources in your environment.
Tip
With version 1610, Peer Cache and the Client Data Sources dashboard are pre-release features. To enable them, see Use pre-release features from updates.
For more information, see Peer Cache for Configuration Manager clients, and Client Data Sources dashboard.
Migrate multiple shared distribution points at the same time
You can now use the option to Reassign Distribution Point to have Configuration Manager process in parallel the reassignment of up to 50 shared distribution points at the same time. Prior to this release, reassigned distribution points were processed one at a time. For more information see, Migrate multiple shared distribution points at the same time.
Cloud management gateway for managing Internet-based clients
Cloud management gateway provides a simple way to manage Configuration Manager clients on the Internet. The cloud management gateway service, which is deployed to Microsoft Azure and requires an Azure subscription, connects to your on-premises Configuration Manager infrastructure using a new role called the cloud management gateway connection point. Once it's completely deployed and configured, clients can communicate with on-premises Configuration Manager site system roles and cloud-based distribution points regardless of whether they're connected to the internal private network or on the Internet. For more information and to see how cloud management gateway compares with Internet-based client management, see Manage clients on the Internet.
Improvements to the Windows 10 Edition Upgrade Policy
In this release, the following improvements have been made to this policy type:
You can now use the edition upgrade policy with Windows 10 PCs that run the Configuration Manager client in addition to Windows 10 PCs that are enrolled with Microsoft Intune.
You can upgrade from Windows 10 Professional to any of the platforms in the wizard that are compatible with your hardware.
Manage hardware identifiers
You can now provide a list of hardware IDs that Configuration Manager should ignore for the purpose of PXE boot and client registration. There are two common issues that this helps to address:
Many devices, like the Surface Pro 3, do not include an onboard Ethernet port. A USB-to-Ethernet adapter is generally used to establish a wired connection for the purpose of deploying an operating system. However, due to cost and general usability, these are often shared adapters. Because the MAC address of this adapter is used to identify the device, reusing the adapter becomes problematic without additional administrator actions between each deployment. Now in Configuration Manager version 1610, you can exclude the MAC address of this adapter so that it can easily be reused in this scenario.
The SMBIOS ID is supposed to be a unique hardware identifier, but some specialty hardware devices are built with duplicate IDs. This issue may not be as common as the USB-to-Ethernet adapter scenario just described, but you can address it by using the list of excluded hardware IDs.
For details, see Manage duplicate hardware identifiers.
Enhancements to Windows Store for Business integration with Configuration Manager
Changes in this release:
Previously, you could only deploy free apps from the Windows Store for Business. Configuration Manager now additionally supports deploying paid online licensed apps (for Intune enrolled devices only).
You can now initiate an immediate synchronization between the Windows Store for Business and Configuration Manager.
You can now modify the client secret key that you obtained from Azure Active Directory.
You can delete a subscription to the store.
For details, see Manage apps from the Windows Store for Business with System Center Configuration Manager.
Policy sync for Intune-enrolled devices
You can now request a policy sync for an Intune-enrolled device from the Configuration Manager console, instead of needing to request a sync from the Company Portal app on the device itself. Sync request state information is available as a new column in device views, called Remote Sync State. The information is also available in the discovery data section of the Properties dialog for each device. For details, see Remotely synchronize policy on Intune-enrolled devices from the Configuration Manager console.
Use compliance settings to configure Windows Defender settings
You can now configure Windows Defender client settings on Intune-enrolled Windows 10 computers by using configuration items in the Configuration Manager console. For details, see the Windows Defender section in Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client.
General improvements to Software Center
Users can now request apps from Software Center, as well as the Application Catalog.
Improvements to help users understand what software is new and relevant.
New columns in device collection views
You can now display columns for IMEI and Serial Number (for iOS devices) in device collection views. For more details, see Predeclare devices with IMEI or iOS serial numbers.
Customizable branding for Software Center dialogs
Custom branding for the Software Center was introduced in Configuration Manager version In version 1610, that branding is now extended to all associated dialog boxes to provide a more consistent experience to Software Center users.
Custom branding for the Software Center is applied according to the following rules:
If the Application Catalog website point site server role is not installed, then Software Center displays the organization name specified in the Computer Agent client setting Organization name displayed in Software Center. For instructions, see How to configure client settings.
If the Application Catalog website point site server role is installed, then Software Center displays the organization name and color specified in the Application Catalog website point site server role properties. For more information, see Configuration options for Application Catalog website point.
If a Microsoft Intune subscription is configured and connected to the Configuration Manager environment, then Software Center displays the organization name, color, and company logo specified in the Intune subscription properties. For more information, see Configuring the Microsoft Intune subscription. 1
Enforcement grace period for required application and software update deployments
In some cases, you might want to give users more time to install required application deployments or software updates beyond any deadlines you set up. For example, this might be necessary when a computer has been turned off for an extended period of time and it needs to install a large number of application or update deployments. For example, if an end user has just returned from vacation, they might have to wait for a long while as overdue application deployments are installed. To help solve this problem, you can now define an enforcement grace period by deploying Configuration Manager client settings to a collection.
To configure the grace period, take the following actions:
On the Computer Agent page of client settings, configure the new property Grace period for enforcement after deployment deadline (hours) with a value between 1 and 120 hours.
In a new required application deployment, or in the properties of an existing deployment, on the Scheduling page, select the check box Delay enforcement of this deployment according to user preferences, up to the grace period defined in client settings. All deployments that have this check box selected, and are targeted to devices to which you also deployed the client setting, will use the enforcement grace period.
If you configure an enforcement grace period and select the checkbox, once the application install deadline is reached, it will be installed in the first non-business window that the user configured up to that grace period. However, the user can still open Software Center and install the application at any time they want. Once the grace period expires, enforcement reverts to normal behavior for overdue deployments. Similar options have been added to the software updates deployment wizard, automatic deployment rules wizard, and properties pages.
Improved functionality in dialog boxes about required software
WWhen a user receives required software, from the Snooze and remind me: setting, they can select from the following drop-down list of values:
Later. Specifies that notifications are scheduled based on the notification settings configured in Client Agent settings.
Fixed time. Specifies that the notification will be scheduled to display again after the selected time (for example, in 30 minutes).
Computer Agent page in Client Agent settings
The maximum snooze time is based on notification values configured in the Client Agent settings. For example, if the Deployment deadline greater than 24 hours, remind users every (hours) setting on the Computer Agent page is configured for 10 hours, and it is more than 24 hours before the deadline, the user would see a set of snooze options up to but never greater than 10 hours. As the deadline approaches, fewer options are available, consistent with the relevant Client Agent settings for each component of the deployment timeline.
Additionally, for a high-risk deployment, such as a task sequence that deploys an operating system, the user notification experience is now more intrusive. Instead of a transient taskbar notification, each time the user is notified that critical software maintenance is required, a dialog box such as the following displays on the user's computer:
Required Software dialog
For more information:
Settings to manage high-risk deployments
How to configure client settings
Software updates dashboard
Use the new software updates dashboard to view the current compliance status of devices in your organization, and quickly analyze the data to see which devices are at risk. To view the dashboard, navigate to Monitoring > Overview > Security > Software Updates Dashboard.
For details, see Monitor software updates.
Improvements to the application request process
After you have approved an application for installation, you can subsequently choose to deny the request by clicking Deny in the Configuration Manager console. Previously, this button was grayed out after approval.
This action does not cause the application to be uninstalled from any devices. However, it does stop users from installing new copies of the application from Software Center.
Filter by content size in automatic deployment rules
You can now filter on the content size for software updates in automatic deployment rules. For example, to download only software updates that are smaller than 2 MB, you can set the Content Size (KB) filter to < Using this filter prevents large software updates from automatically downloading, which better supports simplified Windows down-level servicing when network bandwidth is limited. For details, see:
Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems
Automatically deploy software updates
To configure the Content Size (KB) field, do one of the following:
When you create an automatic deployment rule, in the Create Automatic Deployment Rule wizard, go to the Software Updates page.
In the properties for an existing automatic deployment rule, go to the Software Updates tab.
Office 365 Client Management dashboard
The Office 365 Client Management dashboard is now available in the Configuration Manager console. To view the dashboard, go to Software Library > Overview > Office 365 Client Management.
The dashboard displays charts for the following:
Number of Office 365 clients
Office 365 client versions
Office 365 client languages
Office 365 client channels
For details, see Manage Office 365 ProPlus updates.
Task sequence steps to manage BIOS to UEFI conversion
You can now customize an operating system deployment task sequence with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare a FAT32 partition on the hard drive for transition to UEFI. The following procedure provides an example of how you can create task sequence steps to prepare the hard drive for the BIOS to UEFI conversion. For details, see Task sequence steps to manage BIOS to UEFI conversion.
Improvements to the task sequence step: Prepare ConfigMgr Client for Capture
The Prepare ConfigMgr Client step will now completely remove the Configuration Manager client, instead of only removing key information. When the task sequence deploys the captured operating system image, it will install a new Configuration Manager client each time. For details, see Task sequence steps.
Intune compliance policy charts
You can now get a quick view of overall compliance for devices, and the top reasons for non-compliance, by using new charts under the Monitoring workspace in the Configuration Manager console. You can click a section in the chart to drill down to a list of the devices in that category. For details, see Monitor the compliance policy.
Lookout integration for hybrid implementations to protect iOS and Android devices
Microsoft is integrating with Lookout’s mobile threat protection solution to protect iOS and Android mobile devices by detecting malware, risky apps, and more, on devices. Lookout’s solution helps you determine the threat level, which is configurable. You can create a compliance policy rule in System Center Configuration Manager to determine device compliance based on the risk assessment by Lookout. Using conditional access policies, you can allow or block access to company resources based on the device compliance status. To learn about the integration and how it works, see Manage access based on device, network, and application risk.
Users of noncompliant iOS devices will be prompted to enroll. They'll be required to install the Lookout for Work app on their devices, activate the app, and remediate threats reported in the Lookout for Work application to gain access to company data. Learn how to Configure and deploy Lookout for Work apps.
New compliance settings for configuration items
There are many new settings you can use in your configuration items for various device platforms. These are settings that previously existed in Microsoft Intune in a standalone configuration, and are now available when you use Intune with Configuration Manager. For details, see Configuration items for devices managed without the System Center Configuration Manager client.
New settings for Android devices
Password settings
Remember password history
Allow fingerprint unlock
Security settings
Require encryption on storage cards
Allow screen capture
Allow diagnostic data submission
Browser settings
Allow web browser
Allow autofill
Allow pop-up blocker
Allow cookies
Allow active scripting
App settings
Allow Google Play store
Device capability settings
Allow removable storage
Allow Wi-Fi tethering
Allow geolocation
Allow NFC
Allow Bluetooth
Allow voice roaming
Allow data roaming
Allow SMS/MMS messaging
Allow voice assistant
Allow voice dialing
Allow copy and paste
New settings for iOS devices
Number of complex characters required in password
Allow simple passwords
Minutes of inactivity before password is required
New settings for Mac OS X devices
Minutes of inactivity before screensaver activates
New settings for Windows 10 Desktop and Mobile devices
Minimum number of character sets
Require a password when the device returns from an idle state
Require encryption on mobile device
Allow manual unenrollment
Allow VPN over cellular
Allow VPN roaming over cellular
Allow phone reset
Allow USB connection
Allow Cortana
Allow action center notifications
New settings for Windows 10 Team devices
Device settings
Enable Azure Operational Insights
Enable Miracast wireless projection
Choose the meeting information displayed on the welcome screen
Lockscreen background image URL
New settings for Windows 8.1 devices
Applicability settings
Apply all configurations to Windows 10
Required password type
Minimum password length
Number of repeated sign-in failures to allow before the device is wiped
Minutes of inactivity before screen turns off
Password expiration (days)
Prevent reuse of previous passwords
Allow picture password and PIN
Allow automatic detection of intranet network
New settings for Windows Phone 8.1 devices
Allow automatic connection to free Wi-Fi hotspots

6. Overview of the SCCM Hierarchy
10747D
Overview of the SCCM Hierarchy
1: Overview of System Center 2016 R2 Configuration Manager
SQL database
Central administration site
Primary site
Secondary site
Hierarchy topology
Hierarchy topologies range from a single stand-alone primary site to a group of connected primary and secondary sites with a central administration site at the top-level (top-tier) site of the hierarchy. The key driver of the type and count of sites that you use in a hierarchy is usually the number and type of devices you must support, as follows:
Stand-alone primary site: Use a stand-alone primary site when a single primary site can support management of all of your devices and users (see Sizing and scale numbers). This topology is also successful when your company’s different geographic locations can be successfully served by a single primary site. To help manage network traffic, you can use preferred management points and a carefully planned content infrastructure (see Fundamental concepts for content management in System Center Configuration Manager).
Benefit of this topology include:
Simplified administrative overhead.
Simplified client site assignment and discovery of available resources and services.
Elimination of possible lag that's introduced by database replication between sites.
Option to expand a stand-alone primary hierarchy into a larger hierarchy with a central administration site. This enables you to then install new primary sites to expand the scale of your deployment.
Central administration site with one or more child primary sites: Use this topology when you require more than one primary site to support management of all your devices and users. It's required when you need to use more than a single primary site. Benefits of this topology include:
It supports up to 25 primary sites that enable you to extend the scale of your hierarchy.
You will always use the central administration site (unless you reinstall your sites). This is a permanent option. You cannot detach a child primary site to make it a stand-alone primary site.
The following sections can help you understand when to use a specific site or content management option in place of an additional site.
Determine when to use a central administration site
Use a central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. This site type does not manage clients directly but it does coordinate inter-site data replication, which includes the configuration of sites and clients throughout the hierarchy.
The following information can help you decide when to install a central administration site:
The central administration site is the top-level site in a hierarchy.
When you configure a hierarchy that has more than one primary site, you must install a central administration site, and it must be the first site that you install.
The central administration site supports only primary sites as child sites.
The central administration site cannot have clients assigned to it.
The central administration site does not support site system roles that directly support clients, such as management points and distribution points.
You can manage all clients in the hierarchy and perform site management tasks for any child site when you use a Configuration Manager console that is connected to the central administration site. This can include installing management points or other site system roles at child primary or secondary sites.
When you use a central administration site, the central administration site is the only place where you can see site data from all sites in your hierarchy. This data includes information such as inventory data and status messages.
You can configure discovery operations throughout the hierarchy from the central administration site by assigning discovery methods to run at individual sites.
You can manage security throughout the hierarchy by assigning different security roles, security scopes, and collections to different administrative users. These configurations apply at each site in the hierarchy.
You can configure file replication and database replication to control communication between sites in the hierarchy. This includes scheduling database replication for site data and managing the bandwidth for the transfer of file-based data between sites.
Determine when to use a primary site
Use primary sites to manage clients. You can install a primary site as a child primary site below a central administration site, or as the first site of a new hierarchy. A primary site that is installed as the first site of a hierarchy creates a stand-alone primary site. Both child primary sites and stand-alone primary sites support secondary sites as child sites of the primary site.
Consider using a primary site for any of the following reasons:
To manage device and users.
To increase the number of devices you can manage with a single hierarchy.
To provide an additional point of connectivity for the administration of your deployment.
To meet organizational management requirements. For example, you might install a primary site at a remote location to manage the transfer of deployment content across a low-bandwidth network. However, with System Center Configuration Manager, you can use options to throttle the network bandwidth use when transferring data to a distribution point. That content management capability can replace the need to install additional sites.
The following information can help you decide when to install a primary site:
A primary site can be a stand-alone primary site or a child primary site in a larger hierarchy. When a primary site is a member of a hierarchy with a central administration site, the sites use database replication to replicate data between the sites. Unless you need to support more clients and devices than a single primary site can support, consider installing a stand-alone primary site. After a stand-alone primary site is installed, you can expand it to report to a new central administration site to scale up your deployment.
A primary site supports only a central administration site as a parent site.
A primary site supports only secondary sites as child sites, and can also support multiple secondary child sites.
Primary sites are responsible for processing all client data from their assigned clients.
Primary sites use database replication to communicate directly to their central administration site (which is configured automatically when a new site installs).
Determine when to use a secondary site
Use secondary sites to manage the transfer of deployment content and client data across low-bandwidth networks.
You manage a secondary site from a central administration site or the secondary site's direct parent primary site. Secondary sites must be attached to a primary site, and you cannot move them to a different parent site without uninstalling them and then re-installing them as a child site below the new primary site.
However, you can route content between two peer secondary sites to help manage the file-based replication of deployment content. To transfer client data to a primary site, the secondary site uses file-based replication. A secondary site also uses database replication to communicate with its parent primary site.
Consider installing a secondary site if any of the following conditions apply:
You do not require a local point of connectivity for an administrative user.
You must manage the transfer of deployment content to sites lower in the hierarchy.
You must manage client information that is sent to sites higher in the hierarchy.
If you do not want to install a secondary site and you have clients in remote locations, consider using Windows BranchCache or installing distribution points that are enabled for bandwidth control and scheduling. You can use these content management options with or without secondary sites, and they can help you to reduce the number of sites and servers that you must install. For information about content management options in Configuration Manager, see Determine when to use content management options.
The following information can help you decide when to install a secondary site:
Secondary sites automatically install SQL Server Express during site installation if a local instance of SQL Server is not available.
Secondary site installation is initiated from the Configuration Manager console, instead of running Setup directly on a computer.
Secondary sites use a subset of the information in the site database, which reduces the amount of data that replicates by database replication between the parent primary site and secondary site.
Secondary sites support the routing of file-based content to other secondary sites that have a common parent primary site.
Secondary site installations automatically deploy a management point and distribution point that are located on the secondary site server.
Determine when to use content management options
If you have clients in remote network locations, consider using one or more content management options instead of a primary or secondary site. You can often remove the need to install a site when you use Windows BranchCache, configure distribution points for bandwidth control, or manually copy content to distribution points (prestage content).
Consider deploying a distribution point instead of installing another site if any of the following conditions apply:
Your network bandwidth is sufficient for client computers at the remote location to communicate with a management point to download client policy, and send inventory, reporting status, and discovery information.
Background Intelligent Transfer Service (BITS) does not provide sufficient bandwidth control for your network requirements.
For more information about content management options in Configuration Manager, see Fundamental concepts for content management in System Center Configuration Manager.
Beyond hierarchy topology
In addition to an initial hierarchy topology, consider which services or capabilities will be available from different sites in the hierarchy (site system roles), and how hierarchy-wide configurations and capabilities will be managed in your infrastructure. The following common considerations are covered in separate topics. These are important because they can influence or be influenced by your hierarchy design:
When you are preparing to Manage computers and devices with System Center Configuration Manager, consider whether the devices that you manage are on-premises, in the cloud, or include user-owned devices (BYOD). Additionally, consider how you will manage devices that are supported by multiple management options, such as Windows 10 computers that can be managed directly by Configuration Manager or though integration with Microsoft Intune.
Understand how your available network infrastructure might affect the flow of data between remote locations (see Prepare your network environment for System Center Configuration Manager). Also consider where the users and devices that you manage are geographically located, and whether they access your infrastructure through your corporate domain or the Internet.
Plan for a content infrastructure to efficiently distribute the information you deploy (files and apps) to devices you manage (see Manage content and content infrastructure for System Center Configuration Manager).
Determine which features and capabilities of System Center Configuration Manager you plan to use, the site system roles or Windows infrastructure they require, and at which sites in a multiple site hierarchy you might deploy them for the most efficient use of your network and server resources.
Consider security for data and devices, including the use of a PKI. See PKI certificate requirements for System Center Configuration Manager.
Review the following resources for site-specific configurations:
Plan for the SMS Provider for System Center Configuration Manager
Plan for the site database for System Center Configuration Manager
Plan for site system servers and site system roles for System Center Configuration Manager
Plan for security in System Center Configuration Manager
Managing network bandwidth when deploying content within a site
Consider configurations that span sites and hierarchies:
High availability options for System Center Configuration Manager for sites and hierarchies
Extend the Active Directory schema for System Center Configuration Manager and configure sites to publish site data for System Center Configuration Manager
Data transfers between sites in System Center Configuration Manager
Fundamentals of role-based administration for System Center Configuration Manager
Each site is identified by a unique three-character code
The central administration site is for reporting and management only
Primary sites can be parents of secondary sites only
Secondary sites now have their own database

7. Site System Roles in Configuration Manager
10747D
Site System Roles in Configuration Manager
1: Overview of System Center 2016 R2 Configuration Manager
Default site system roles are installed when Configuration Manager setup is run
Optional site system roles are added post-installation to support specific features
Default site system roles
Optional site system roles
Site server
Site system
Component server
Site database server
SMS Provider: does not display in the console
Certificate registration point
Distribution point
Management point
Reporting services point
Software update point
State migration point

8. What Is a Central Administration Site?
1: Overview of System Center 2016 R2 Configuration Manager
A central administration site:
Is required to use a multi-site hierarchy
Is used for administration and reporting
Requires an SQL database
Does not process client data
Does not support client assignment
Has a limited number of site system roles

9. 10747D
What Is a Primary Site?
1: Overview of System Center 2016 R2 Configuration Manager
To use Configuration Manager, you must have at least one primary site
Primary sites:
Can be in a child relationship to a central administration site, which can only be set during installation
Cannot be a child to another primary site
Manage clients in well-connected networks
Require a SQL Server database
Replicate their data to a central administration site if part of a hierarchy
Support client assignment
Consist of one or more systems that host various site system roles

10. What Is a Secondary Site?
1: Overview of System Center 2016 R2 Configuration Manager
A secondary site:
Is optional
Must be in a child relationship to a primary site, which is set in the secondary site during installation
Is used when you need to control network bandwidth
Requires SQL Server Express or a SQL Server database to store configuration information
Replicates its collected client data to its parent site by using file-based replication
Does not support client assignment
Consists of one or more systems that host various site system roles

11. Small- to Medium-Sized Organization
1: Overview of System Center 2016 R2 Configuration Manager
Small- to medium-sized organizations often use a single primary site that includes:
Mandatory:
Site server
Site database
Management point
Distribution point
Optional:
Reporting services point
Software update point
Fallback status point
Other roles as required
Single Server with All Site Roles

12. Medium- to Large-Sized Organization
1: Overview of System Center 2016 R2 Configuration Manager
Medium- to large-sized organizations use primary and secondary sites
A primary site typically includes:
Site server
Site database
Management point
Distribution point
Reporting services point
Software update point
Fallback status point
Other roles as required
Secondary sites include:
Site Server
Site Database
Software Update Point
Secondary Site Server
Remote Distribution Point

13. Configuration Manager in a Global Organization
10747D
Configuration Manager in a Global Organization
1: Overview of System Center 2016 R2 Configuration Manager
Example of a complex hierarchy implementation:
Central Administration Site
Primary Sites
Secondary Sites
Remote Distribution Point

14. How Data Flows and Replicates in a Hierarchy
1: Overview of System Center 2016 R2 Configuration Manager
Primary Site
Central Administration Site
Secondary Site
Global Data
Site Data
Global data
Site data
Alert rules
Client discovery
Collections rules and count
Configuration items metadata
Deployments
Operating system images
Package metadata
Program metadata
Site control file
Site security objects
Software updates metadata
System resource list
Alert messages
Asset intelligence CAL tracking
Client Health data
Client Health history
Collection membership results
Component and Site Status Summarizers
Hardware inventory
Software distribution status details
Software inventory and metering
Software updates site data
Status messages

15. Module 4: Planning and Deploying a Multiple-Site Hierarchy
Considerations
Course 10748A
Install a stand-alone primary site when you have:
Install secondary sites when you want:
Install multiple primary sites in a hierarchy when you have:
A centralized administration approach
No more than 100,000 clients
Explain the criteria used to determine when to implement each scenario:
Stand-alone primary site: Centralized administration, up to 100,000 clients
Additional secondary sites: To offload client communication, tiered content routing
Complex hierarchy: Larger number of clients, multiple administrative reams, export regulations on content.
Explain that the most important criteria used to determine whether to install a single primary site or a complex hierarchy is the number of clients that will be managed, for example:
A single primary site can accommodate up to 100,000 clients.
Adding secondary sites to the single primary site scenario will not increase the total limit of 100,000 clients. It will allow for offloading the client communication overhead from the primary site.
A complex hierarchy will allow for up to 300,000 clients.
Question: How many sites need to be implemented for 50,000 clients?
Answer: The number of sites to be implemented depends on the administrative model and restrictions on content distribution. An installation with 50,000 clients can be managed with a stand-alone primary site. In remote locations, you may need to install additional secondary sites or distribution points.
To offload the client communication from the primary site
To provide tiered content routing between secondary sites with the same parent
More clients than can be managed using a single primary site
Multiple administrative teams that require local connectivity for the Configuration Manager consoles
A large number of remote locations
Export regulations on content

16. Planning a Multiple-Site Hierarchy
Module 4: Planning and Deploying a Multiple-Site Hierarchy
Planning a Multiple-Site Hierarchy
Course 10748A
A central administration site:
A primary site:
A secondary site:
Supports up to 25 child primary sites
Supports up to 400,000 clients in the hierarchy when using SQL Server Enterprise for the site database
Supports up to 50,000 clients in the hierarchy when using SQL Server Standard for the site database
Use the slide to explain the capacity limits for central administration site, primary sites and secondary sites.
Stress the importance of using the right edition of Microsoft SQL Server® at the central administration site.
Question: What is the total number of distribution points that can be installed in a primary site and its child secondary sites?
Answer: A primary site supports a combined total of up to 5,000 distribution points, including the distribution points installed in the child secondary sites.
References
Supported Configurations for Configuration Manager
Supports up to 250 secondary sites
Supports up to 250 distribution points
Supports up to 10 management points
Supports up to 50,000 clients when SQL Server is on the site server
Supports up to 100,000 clients when SQL Server is on a separate computer
Supports up to 250 distribution points
Supports a single management point located on site server
Supports communications from up to 5,000 clients

17. Overview of the Administration Tools
1: Overview of System Center 2016 R2 Configuration Manager
Configuration Manager console:
Primary method of managing a Configuration Manager deployment
You can install it on an administrator’s client computer
Configuration Manager client:
Trigger updates and retrieve information about individual client computers
Windows PowerShell Configuration Manager cmdlets:
Enable you to script Configuration Manager activities
Orchestrator runbooks:
Enable using runbook automation to perform Configuration Manager tasks
Discuss each of the different Configuration Manager administration tools. Stress why you might want to use the console to perform one task, when you might want to use Windows PowerShell® or System Center 2016 R2 Orchestrator to automate tasks, or when you might choose to use the Configuration Manager client to trigger an action directly on a client device.

18. Using the Configuration Manager Console
10747D
Using the Configuration Manager Console
1: Overview of System Center 2016 R2 Configuration Manager
Ribbon
Results Pane
Navigation Pane
You might find it helpful to open the Configuration Manager console and point out the changes to the ribbon and the results pane as you change focus in the console.
The ribbon contains the actions that you can perform on the currently selected object. These actions also are available by right-clicking the object.
The workspaces are navigation tools that help you navigate quickly through the different management areas.
The results pane shows the objects that are available under the currently selected workspace or node.
The preview pane is a tabbed pane that appears as the bottom part of the results pane, depending on the object currently selected in the results pane.
The navigation pane is the main navigation area. It contains the nodes that make up the selected workspace. When you perform certain tasks, such as searches or queries, Configuration Manager creates temporary nodes that display the task results.
When viewing certain home pages, running queries, or performing similar actions, the results pane is usually a single pane displaying the page or the results of the query. However, when selecting most objects, the results pane displays a subpane called the preview pane.
Reference
SCCM 2016 Console GUI Overview
Workspaces
Preview Pane

19. Overview of Client Installation Methods
3: Managing the Configuration Manager Client Agent
The client deployment installation methods include:
Client push installation
Group Policy installation
Software update point installation
Manual installation
Logon script installation
Upgrade installation (software deployment)
Operating system deployment
Computer imaging
This is an overview topic. You will discuss each deployment method listed in more detail in later topics.
The Determine the Client Installation Method to Use for Computers in Configuration Manager webpage on the Microsoft System Center website provides a table that lists the advantages and disadvantages for the various client deployment methods. For more information, refer to the Additional Reading link provided in the supplemental content website.
Discuss each client deployment method.
The preferred client deployment method will vary based on your needs and how much of the rollout or maintenance phase Configuration Manager has completed
Additionally, point out that the number of clients being deployed will affect network bandwidth.
Reference
Determine the Client Installation Method to Use in Configuration Manager 2016
Question: Which client deployment method will you use for your organization, and why?
Answer: Answers will vary.

20. Device Requirements to Support the Client Agent
3: Managing the Configuration Manager Client Agent
Supported Windows-based clients include:
Windows XP SP3, Windows XP x64 SP2, Windows Server 2003 SP2, and newer operating systems
Prerequisite software includes:
Windows Installer version or newer
Installation process installs these additional prerequisites before client installation:
Windows Update Agent
Microsoft Core XML Services
Microsoft Visual C++ Redistributable
Microsoft Policy Platform
Microsoft Silverlight
Microsoft .NET Framework 4 Client
Familiarize students with the types of systems in which the clients can be installed. Update yourself on the latest compatibility requirements.
Explain that the client installation process includes the installation of software such as Visual C++® and Microsoft Silverlight®.
References
Prerequisites for Client Deployment in Configuration Manager 2016
Question: If your environment contains computers that are running Windows® XP Service Pack 1 (SP1), what would you need to be able to install the Configuration Manager client agent?
Answer: You would need to update these systems to at least Windows XP Service Pack 3 (SP3), if they are 32-bit systems, or Windows XP Service Pack 2 (SP2), if they are 64-bit systems.

21. Considerations for Virtual Desktop Infrastructure
3: Managing the Configuration Manager Client Agent
RDS
Configuration Manager client agent is installed only once on the Remote Desktop Session Host
All features are supported
Private virtual machines
Configuration Manager client agent is installed in each virtual machine
Pooled virtual machines
Configuration Manager client agent is installed on each virtual machine
Software inventory, hardware inventory, and software metering data may not be relevant
Point out that course “20416B: Implementing Desktop Application Environments”, of the Windows Server® 2016 set of courses, provides more detail about virtual desktop infrastructure (VDI). Explain in detail, and concentrate on, the three different environments: Remote Desktop Services (RDS), private virtual machines, and pooled virtual machines. Make sure students understand the primary difference between private and pooled virtual machines. Private virtual machines have a one-to-one mapping with users and are persisted; pooled virtual machines are shared by all, provisioned as needed, and destroyed after use. Therefore, inventory data for pooled virtual machines may be useless.

22. Supporting Internet-Based Clients
3: Managing the Configuration Manager Client Agent
Considerations for supporting Internet-based clients:
Internet-based clients require a PKI
Microsoft Certificate Services certificate templates can simplify certificate enrollment
All systems involved must trust the root CA
Internet-facing roles require a certificate
Client systems use a certificate for authentication
Describe the requirements for supporting clients on the Internet. You do not need to provide extensive detail on designing a public key infrastructure (PKI) solution. Focus on the client implications of connecting across the Internet.
Explanation of the slide graphic:
An internal PKI is used to issue client and server authentication certificates.
Each system must have the root certification authority (CA) certificate in the trusted root store.
The graphic of the web-based services for the primary site represents the following Internet Information Services (IIS):
Management point
Distribution point
Software update point
State migration point
Enrollment point
Enrollment proxy point
Application catalog web-service point
Application catalog website point
Explain that you need to present only the services that you are using to the Internet.
Discuss the potential impact of putting a fallback status-point server on the Internet, which is an HTTP-only server that inserts data into a production database.
Note: Remind students that a root CA should be offline for security purposes.
Reference
PKI Certificate Requirements for Configuration Manager 2016
Question: Are you planning to support Internet-based clients in your environment? If so, are you going to install a private PKI in your environment?
Answer: Answers will vary.
Secure web services
All utilized IIS-based site services
except fallback status point
(not an HTTPS service)
without PKI-issued server certificate
HTTPS connection
Client system
on Internet
with PKI-issued
client certificate
Primary site
Root CA
Issuing CA
PKI infrastructure

23. Supporting Mobile Devices
3: Managing the Configuration Manager Client Agent
Supported mobile devices include:
Windows Phone 8, Windows 10, Windows RT, and iOS devices
Windows Mobile 6.0 or newer
Windows CE 5.0 or newer
Nokia Symbian Belle
Limited support for devices that use ActiveSync
Android
Client certificates are required on mobile devices for full support
You can support and manage mobile devices by using:
Windows Intune connector
Configuration Manager client agent
Legacy Configuration Manager client agent
Exchange connector
Introduce the topic of mobile devices, and explain that students can manage mobile devices through Windows Intune™ or Microsoft Exchange Server Connector. Additionally, mention supported mobile devices, such as Nokia Symbian Belle and ActiveSync®. Module 13, “Mobile Device Management Using System Center 2016 R2 Configuration Manager”, covers this topic in more detail
References
Determine How to Manage Mobile Devices in Configuration Manager 2016
Prerequisites for Windows Client Deployment in Configuration Manager

24. Supporting Workgroup-based Clients
3: Managing the Configuration Manager Client Agent
The prerequisites that workgroup-based computers must meet include:
The Configuration Manager client agent must be installed manually on each workgroup-based computer
A network access account must be configured
The features that workgroup-based computers do not support include:
Client push installation
Targeting users for application deployment
Global roaming
Using AD DS to locate site systems
Active Directory discovery
Point out the prerequisites and limitations of workgroup-based computers. Also, remind students that workgroup-based computers do not use Kerberos for authentication, and therefore will require a manual approval to start management.

25. Supporting Mac Computers
10747D
Supporting Mac Computers
3: Managing the Configuration Manager Client Agent
The following features are supported in Mac OS X computers:
Hardware inventory:
Viewed in Resource Explorer
Used to create queries, collections, and reports
Software deployment. Deploy software packages in the following formats:
Mac OS Installer Package (.PKG)
Mac OS X Application (.APP)
Apple Disk Image (.DMG)
Meta Package File (.MPKG)
Compliance settings. Configuration Manager supports:
.plist files
Shell scripts
Reminder: Only a subset of the management features are available to Mac computers. Also, Mac computers do not support the following capabilities:
Client status check and remediation
Maintenance windows
Remote control
Power management
Software updates (although you can use application management to update software)
Client push installation
Operating system deployment

26. Supporting Linux-based and UNIX-based Computers
3: Managing the Configuration Manager Client Agent
The supported operating systems include:
Red Hat Enterprise, Solaris, SUSE Linux Enterprise Server, Debian, CentOS, Ubuntu Server, Oracle Linux
IBM AIX, HP-UX
Linux-based and UNIX-based computers support the following features:
Hardware inventory:
Viewed in Resource Explorer
Used to create queries, collections, and reports
Software deployment:
User interaction is not supported
Maintenance windows are fully supported
Reminder: Only a subset of the management features are available to Linux-based and UNIX-based computers. Also, Linux-based and UNIX-based computers do not support the following capabilities:
Compliance settings.
Remote control.
Power management.
Software updates, although you can use software deployment to update software.
Client push installation.
Operating-system deployment.
Reference
Deploying Software to Linux and UNIX Servers in Configuration Manager

27. Support Structure for Client Support
Internet-based client management allows you to manage Configuration Manager 2007 clients when they are not connected to your company network but have a standard Internet connection. This arrangement has a number of advantages, including the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a more timely manner.
Because of the higher security requirements of managing client computers on a public network, Internet-based client management requires that the site is in native mode. This ensures that connections to the management point, software update point, and distribution points are authenticated by an independent authority, and that data to and from these site systems are encrypted using Secure Sockets Layer (SSL).
Features that Are Not Supported on the Internet
Not all Configuration Manager 2007 features are appropriate for the Internet, and so they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services (which is not accessible from the Internet) or are not appropriate for a public network (such as network discovery and Wake On LAN).
The following features are not supported when clients are managed on the Internet:
Software distribution that is targeted to users (either directly or through Microsoft Windows security groups).
Branch distribution points (a branch distribution point cannot support Internet clients, and clients on the Internet cannot be configured as a branch distribution point).
Client deployment over the Internet.
Auto-site assignment.
Network Access Protection (NAP).
Wake On LAN.
Operating system deployment.
Task sequences.
Remote control.
Out of band management in Configuration Manager 2007 SP1 and later.
The client ping functionality used with the client status reporting feature in Configuration Manager 2007 R2.
Additionally, Internet-based client management does not support roaming, which allows clients to always find the closest distribution points to download content. Clients that are managed on the Internet have a fixed Internet-based management point and communicate with that management point only when they are on the Internet, and with site systems in the site that are configured for Internet-based client management.
Clients connecting over the Internet will download content from any of the Internet-based distribution points in the site, regardless of bandwidth or physical location. For this reason, you cannot configure a protected site system to support Internet-based client management.
Configuring Site Systems for Internet-Based Client Management
There are no new site system roles required to support clients on the Internet. Instead, existing site system roles in a native mode, primary site are configured for Internet-based client management and placed appropriately on the network. The following site systems can support client management over the Internet:
Management point (with and without a network load balancing cluster)
Distribution points
Fallback status point
Software update point (with and without a network load balancing cluster)
A number of supported scenarios determine the location of servers in the Configuration Manager 2007 primary site. These range from having the complete Configuration Manager 2007 site contained within the perimeter network (also known as a screened subnet or DMZ) to having the site divided between the perimeter network and the intranet. The configuration of firewalls and Web proxies will depend on the server placement you choose. If you are using a proxy Web server, such as Microsoft ISA Server 2006, it must also have an appropriate certificate and support SSL termination so that the proxy Web server can authenticate client connections.
Configuring Clients for Internet-Based Management
Client computers and mobile client devices can be configured for one of the following management methods:
Internet-only management
Intranet-only management
Clients that are managed over the Internet must be configured to use their assigned site's Internet-based management point. Clients cannot communicate with an Internet-based management point from another site or with any other Internet-based site systems from another site. The configuration for the Internet-based management point can be specified with command-line properties during installation or specified in the Internet tab of Configuration Manager from the Control Panel of a client computer.

28. Backend Infrastructure Diagram
Central Administration Site (CAS)
CAS is the recommended location for all administration and reporting for the hierarchy, if you choose to deploy a hierarchy with a CAS. Central Administration sites are used in scenarios where you need more than one Primary Site, such as when you need to manage more than clients. The maximum number of clients supported for an entire Configuration Manager 2012 hierarchy is The CAS supports only primary sites as child sites. It has limited site roles available, has no clients assigned, and doesn’t process client data. The CAS requires SQL Server for data that is gathered from the hierarchy.
Primary Site
A required site that manages clients in well connected networks. All clients are assigned to a primary site. Primary sites can not be tiered below other primary sites. Each Primary site can support up to 250 secondary sites, clients and 10 management points (for load balancing). A SQL server is required for primary sites. If an organization has less than clients, it should only use a single stand-alone primary site.
Secondary Site
Secondary sites can be used to service clients in remote locations where network control is needed. General recommendation though is to avoid usage of secondary sites in such scenarios, and rather deploy Distribution Points in remote locations, because they allow controlling, or throttling, network bandwidth for content distribution between a site and a remote distribution point. Secondary sites are installed through the Configuration Manager console. A management point and distribution point are automatically deployed when the site is installed. SQL Server Express or a full instance of SQL Server is required for a secondary site. If neither is installed when the site is installed, SQL Server Express is automatically installed.
Secondary sites must be direct child sites below a primary site, but can be configured to send content to other secondary sites. They also receive a subset of the Configuration Manager database. Clients cannot be assigned directly to secondary sites.
Because administrative consoles can connect only to a central administration or primary site, secondary sites are typically used in locations that do not have administrators, or in locations where you need clients to scan for software updates compliance without needing to talk to a primary site server. The latter can be achieved by installing the software update point role on a secondary site server.
2. Site System Roles
Site System Roles are roles that can be installed on Configuration Manager 2012 R2 site servers. Any computer hosting a site system role is referred to as a site system server. You can assign multiple roles to one site system server. There are five site system roles that must exist in each site and must be configured during installation of a CAS or a Primary site, while the rest of the site system roles are optional.
Default Site System Roles
Component Server
Any server running the Configuration Manager Executive service. It is automatically installed with all site system roles except the Distribution Point, and is used to run Configuration Manager services.
Site Database Server
Server with Microsoft SQL Server installed, hosting the Configuration Manager site database. This database is used to store information about assets and site data.
Site Server
Contains components and services required to run a central administration, primary, or secondary site.
Site System
Supports both required and optional site system roles. Any server (or share) with an assigned role automatically receives this role.
SMS Provider
A WMI provider operating as an interface between the Configuration Manager console and the site database. Secondary sites do not install SMS providers.
Optional Site System Roles
Application Catalog Web Service Point
Publishes software information from the software library to the Application Catalog Website.
Application Catalog Website Point
Publishes the available software for a user on the Application Catalog Website.
Asset Intelligence Synchronization Point
Synchronizes Asset Intelligence data from System Center Online by downloading Asset Intelligence catalog data and uploading custom catalog data. This role can only be installed on the CAS or a stand-alone primary site server.
Certificate Registration Point
Communicates with the server that runs the Network Device Enrollment Service of Active Directory Certificate Services to manage device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP).
Distribution Point
This role stages packages (source files), such as application content, software packages, software updates, operating system images, and boot images to clients. A Distribution Point can not be connected to a CAS, it always communicates with a primary site or a secondary site. A single Distribution Point is capable of supporting up to 4000 clients. A site can hold up to 250 Distribution Points.
Endpoint Protection Point
This role is configured at the Central Administration Site or a stand-alone primary site. With the System Center Endpoint Protection role you can secure your clients and servers from viruses and malware by deploying (and managing) Microsoft System Center 2012 Endpoint Protection to clients. Microsoft System Center 2012 Endpoint Protection provides an antimalware and security solution for the Microsoft platform.
Enrollment Point
Facilitates enrollment of Intel’s Active Management Technology (AMT)-based computers and mobile devices.
Enrollment Proxy Point
Allows the management of mobile device enrollment through Configuration Manager.
Fallback Status Point
Provides an alternative location for clients to send up status messages during installation when they cannot communicate with their management point.
Management Point
Facilitates communication between a client and site server by storing and providing policy and content location information to the client, and receiving data from the client such as status messages and inventory. One Management Point can support up to clients.
Out-of-Band Service Point
Allows out of band management of AMT-based computers.
Reporting Services Point
Used to integrate reporting through SQL Server Reporting Services and is required if using reports.
Software Update Point
Provides software update management for Configuration Manager clients by integrating with Windows Server Update Services (WSUS).
Sate Migration Point
When using OSD, the state migration point holds the user state data for migration to the new operating system.
System Health Validator Point
When implementing Network Access Protection (NAP) a system health validator point validates the Configuration Manager NAP policies. The role must to be installed on the NAP health policy server.
Windows Intune Connector
When managing mobile devices via Windows Intune you need to install the Windows Intune connector to be able to retrieve status messages and inventory messages from the mobile devices that are enrolled in Windows Intune.

29. Module 5: Querying and Reporting Data
Course 10747A
Data Query
Module 5: Querying and Reporting Data
Data Queries extract information related to resource discovery or inventory data.
In general the primary purpose of Data Queries are to build collections.

30. Module 5: Querying and Reporting Data
Course 10747A
Status Message Query
Module 5: Querying and Reporting Data
Status Message Query has a very specific use. The site status and component status nodes show status messages related to a very specific site system or component. Although there are some filtering options these may not be sufficient when troubleshooting an issue. In such case you can use the status message queries to create custom queries for status messages including status messages from client.
The primary purpose of status message queries are to locate stored status messages.

31. Module 5: Querying and Reporting Data
Course 10747A
Querying Elements
Module 5: Querying and Reporting Data
Required Name
Required Object Type
New
Delete
Group
Ungroup
Properties
Change Operator
Not
Logical Operators
Group Indicators
Class
Attribute
Sort
Practice using the animation. After the first click of the mouse, the Edit Query Statement button is highlighted and the All Client System Query Statement Properties dialog box appears. At the second click, the Query Statement Properties dialog box appears.
Discuss the following query elements: Query name, Object type, Attribute class, and Attribute.
Explain that the query name is the only required field to create a query. All other fields have a default value. If you do not specify any attribute classes and attributes on the General tab, then all attributes and classes for the object type are used for the query. Discuss the four data types that the query attributes use to store data: Numerical, String, Date and time, and Parameterized. Discuss the following optional query elements:
Criterion types
Logical operators
Group parentheses
Attribute class join
Explain the use of wild card characters when providing string values in the Additional Information box in the Criterion Properties dialog box.
%. Any string of zero or more characters
_. Any single character
[ ]. Any single character within the range or set (for example, [a–f] or [abcdef])
[^]. Any single character not within the specified range (for example, [^a–f] or [^abcdef])
Question: When creating a query to discover all the Windows® 7 computers with a CD burner and a specific video card, would you need to create any attribute class joins?
Answer: No. Suitable joins are automatically created when you build the query.
References
About Query Elements Queries in Configuration Manager
Attribute classes and attributes are required, and if not specified, all available attributes display
Optional query elements are used to narrow the scope of a query
Every query requires a unique name, and System Resource is the default object type

32. Module 5: Querying and Reporting Data
Course 10747A
Managing Data Queries
Module 5: Querying and Reporting Data
To create a data query:
Complete the settings on the General page of the Create Query Wizard 1
Import an existing query or build a query from scratch 2
Show the location of the data queries in the console. Describe how to create a data query.
When you discuss the settings on the General page of the Create Query Wizard, explain that although adding a comment is not required, it is a good practice, because it provides the opportunity to document the reason for creating the query. Also, mention the following:
You can move queries from one folder to another by using the Move Items action in the Results pane. You can also drag and drop queries from one folder to the other.
You can use the search bar to search through the query results in the results pane.
Question: What programming language do you use to create Configuration Manager queries?
Answer: You use WQL, a query language similar to SQL statements, to create queries.
Edit the query statement 3
Edit the General tab of the query statement properties to specify the criteria to display 4 5
Add search criterion on the Criteria tab
When creating criterion, use the Values button to display the related data currently stored in the database 6

33. What Is Inventory Collection?
10747D
What Is Inventory Collection?
4: Managing Inventory and Software Metering
Inventory collection is:
The process of gathering information that describes the hardware and software installed on a client computer
Configured by using client settings for the hierarchy or assigned on a per- collection basis
Point out that in earlier Configuration Manager versions, you had to configure hardware and software inventory settings on a per-site basis. System Center 2016 R2 Configuration Manager now enables you to create custom client settings that you can assign to collections. This provides a more granular approach to inventory collection.
Additionally, mention that the Asset Intelligence feature gathers data during the hardware inventory process, and that there are configuration and management settings that you can specify.
Question: You would like to identify all computers that have 1 gigabyte (GB) to 4 GB of random access memory (RAM). What inventory feature can assist you with this task?
Answer: You can use hardware inventory to find all computers that have between 1 GB and 4 GB of RAM.
Reference
Inventory in Configuration Manager
Software inventory data
Hardware inventory data
Asset intelligence data

34. Management Tasks That Use Inventory Data
4: Managing Inventory and Software Metering
Uses of hardware and software inventory data include:
Building queries based upon hardware configuration or installed software
Building collections on the basis of queried inventory results
Creating reports to display hardware configuration or installed software details
Maintaining corporate standards
Troubleshooting client problems
Collecting files (software inventory only)
Describe some of the ways that you can use hardware and software inventory to support these Configuration Manager features:
Building queries based upon hardware configuration or installed software. One example is that you can create a query that displays all computers with less than 500 megabytes (MB) of space left on their hard drive. This enables you to prevent problems proactively with future software deployments.
Building collections based upon queried inventory results. One example is that you can create a collection that contains all computers that have Windows® 7installed. You then can use this collection to deploy specific software packages that support only Windows 7 computers.
Creating reports to display details about a client’s hardware or software configuration. One example would be if your manager requires a report for a budget proposal that provides detailed hardware or software configurations of specific computers.
Troubleshooting client problems. One example is that you may be able to use hardware or software inventory to view inventory results to determine why a computer has performance issues.
Maintaining corporate standards. One example is that you can maintain information about current hardware and software installations to ensure that all computers meet the current compliance requirements.
Collecting files (software inventory only). One example is if you need to collect a specific configuration file from computers within a specific site.
Question: How will you use inventory collection in your environment?
Answer: Answers will vary. Have students share their previous experiences with, as well as their goals regarding, the use of inventory collection. For example, ask whether they are using hardware inventory for budget reports or upgrade analysis.

35. The Process of Inventory Collection
10747D
The Process of Inventory Collection
4: Managing Inventory and Software Metering
View inventory information at a site after its database is updated by this process:
Client gets settings and collects inventory
Deliver data to management point
Deliver data to site server
Update site database
Replicate to the central administration site
Site Server
Site Database Server
Start the discussion by describing the components that an inventory collection uses, including the:
Client
Management point
Site server
Site database
Use the slide to help describe the components and explain how you can use them.
Mention that, by default, inventory collection runs once every seven days. However, you can modify the schedule.
Provide a description of the inventory collection process, which includes the following steps:
Collect inventory. Inventory agents create inventory data files that list the collected data.
Deliver data to management point. Clients send the inventory data files to the management point.
Deliver data to site server. The management point then sends inventory data files to the site server.
Update site database. Configuration Manager updates the database. The primary site servers add the inventory data to the Configuration Manager site database, which maintains the hardware inventory history for each client. However, it does not maintain a software inventory history. Configuration Manager retains only the current software inventory data for each client.
Replicate to the central administration site. Explain that inventory data is site data, which replicates to any central administration site that you implement. However, site data will not replicate to any other primary sites in the hierarchy.
You can view hardware and software inventory data in the Configuration Manager console by using the Resource Explorer or reports. You also can use inventory date to create queries, collections, and custom reports. When viewing hardware inventory, you can view the history of each previous hardware inventory collection. When viewing software inventory, you can view the current state only.
Management Point
Client

36. How Is Hardware Inventory Collected?
4: Managing Inventory and Software Metering
A hardware inventory obtains information by querying:
WMI database on Windows client computers
CMI database named OMI on Linux, UNIX, and Mac OS X
The hardware inventory agent collects:
An initial full hardware inventory
Subsequent delta inventories
Describe how the hardware inventory for your clients by using the Hardware Inventory Agent feature in Configuration Manager collects a hardware inventory for your clients.
Describe the changes to inventory collection in System Center 2016 Configuration Manager and System Center 2016 R2 Configuration Manager when compared to previous Configuration Manager versions. Previous Configuration Manager versions used a file named SMS_DEF.MOF to specify the classes and attributes for collection from Windows Management Instrumentation (WMI). System Center 2016 R2 Configuration Manager no longer uses this file. However, the site database still has a SMS_DEF.MOF definition in which to store the classes and attributes. You now must specify the classes and attributes by modifying the Hardware Inventory client settings in the System Center 2016 R2 Configuration Manager console.
This course assumes that students understand WMI concepts. However, if students require more information, you can explain that WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is a unifying architecture that allows access to data from a variety of underlying technologies, including the Win32 class, WMI, the Desktop Management Interface (DMI), and the Simple Network Management Protocol (SNMP). WBEM is based upon the Common Information Model (CIM) schema, which is an industry-standard driven by the Distributed Management Task Force. WMI uses Managed Object Format (MOF) files to determine what information to load into the CIM repository. WMI also uses providers to access the CIM repository.
WBEM provides a standard way to define information that a system should collect (the MOF), represent that information (the CIM), and provide a method to access that collected information. You can find out more about the CIM server used on OS X, Linux, and UNIX clients at
Reference
Introduction to Hardware Inventory in Configuration Manager

37. Collecting Hardware Inventory
4: Managing Inventory and Software Metering
Use this topic to describe the options available when configuring hardware inventory.
Be sure to mention that by default, hardware inventory is enabled for the Default Settings that apply to the entire site hierarchy. However, you can apply specific settings to a set of devices, such as custom hardware inventory classes that are applicable only to a specific hardware model. You can do this by creating and configuring a custom device client setting, and then assigning the custom setting to a collection that contains the computers for which you want to produce a hardware inventory.
Reference
How to Configure Hardware Inventory in Configuration Manager

38. How Is Software Inventory Collected?
4: Managing Inventory and Software Metering
The software inventory process:
Collects data directly from files by reading the file header information
Collects file system details even from unknown files that may not have information in their file header
Collects copies of files that you specify and stores them on the site server
Enables you to view collected inventory and file information by using Resource Explorer, or view software inventory information in reports
Use this topic to describe how software inventory works. Point out that Software Inventory is useful for identifying various file types. However, you should not use it for identifying installed software, such as .exe files. You should use Asset Intelligence to identify installed applications.
Furthermore, point out that Configuration Manager can inventory files that do not have information stored within the file header, and reports these file as unknown.
Information that Configuration Manager gathers can include data related to the operating system, installed programs, and any files that you want to inventory. Configuration Manager stores this data in the site database, where you can use the information in queries to generate and view reports, or to build software- specific collections. For example, you can create a collection of all computers that have specific versions of files, or you can find all clients with an old version of a file, and replace it with a new version.
Question: How will you use software inventory in your organization?
Answer: Answers will vary. Be sure to have the students provide suggestions on how they currently use or could use software inventory in their organizations.
Reference
Introduction to Software Inventory in Configuration Manager

39. Software Inventory File Types
10747D
Software Inventory File Types
4: Managing Inventory and Software Metering
To configure new software inventory rules:
Create a new inventory rule
Type the file name or variable
Specify the location
Specify whether to exclude encrypted and compressed files
Specify whether to exclude files in the Windows directory
Specify the reporting detail for all rules
Be sure to point out that while software inventory can inventory encrypted and compressed files, software inventory may run much slower due to the additional processing required. When the software inventory scans encrypted files, it must create an unencrypted copy of the file. Additionally, if antivirus software is running on the client machine, the antivirus software detects the Inventory Agent opening the files that software inventory scans. It rescans them to ensure they are not infected with a virus.
Describe the steps to create a software inventory rule, and consider demonstrating how to configure software inventory rules. No demonstration topic exists.
NOTE: Asset Intelligence generally is a better way to identify installed software.
Reference
Configuring Software Inventory in Configuration Manager

40. Overview of Asset Intelligence
10747D
Overview of Asset Intelligence
4: Managing Inventory and Software Metering
Asset Intelligence:
Extends hardware inventory
License reporting
Supports ISO/IEC tags
Collect information about App-V apps
Explain that Asset Intelligence information provides extensive software and hardware inventory information, as well as a number of reports.
Reference
Introduction to Asset Intelligence in Configuration Manager

41. Benefits of Asset Intelligence
10747D
Benefits of Asset Intelligence
4: Managing Inventory and Software Metering
Asset Intelligence provides the following benefits over software inventory:
More accurate representation of software titles present on managed computers.
Information about the license usage for specific products, rather than just information about the software itself.
Asset intelligence retrieves information about installed software through the Hardware Inventory Client Agent.
Describe the Asset Intelligence components:
The Asset Intelligence catalog.
The Asset Intelligence synchronization point.
The Asset Intelligence home page.
Asset Intelligence reports.

42. The Asset Intelligence Catalog
10747D
The Asset Intelligence Catalog
4: Managing Inventory and Software Metering
Asset Intelligence catalog features:
Includes more than 500,000 software titles
Enables import of software license information
Provides information about hardware requirements for some titles
Is updated periodically through System Center Online
Describe the features of the Asset Intelligence Catalog.

43. Configuring Data Collection for Asset Intelligence
4: Managing Inventory and Software Metering
Configuring Asset Intelligence can include the following tasks:
Enabling Hardware Inventory and software metering
Enabling Asset Intelligence inventory reporting classes
Enabling Windows Event Log settings
Importing software license information
Installing an Asset Intelligence synchronization point
Configuring Asset Intelligence maintenance tasks
Configuring Asset Intelligence security
Point out that this is a full list of tasks that you may, or may not, need to configure based on your current site settings or Asset Intelligence reporting requirements.
Reference
Configuring Asset Intelligence in Configuration Manager
For more information on converting Microsoft Volume Licensing Service (MVLS) files and creating license .csv files for import into Configuration Manager at Importing Software Licenses Into the Asset Intelligence Catalog consult the following web page:

44. Overview of Software Metering
10747D
Overview of Software Metering
4: Managing Inventory and Software Metering
Software metering is the process of gathering detailed data on program usage from client computers in a Configuration Manager site
Types of data collected:
Program usage information
File information
Program information
Explain that you can use software-metering data in a number of scenarios, and that it can help determine:
How many instances of a particular software program users are using.
How many licenses of a particular software program you need to purchase when you renew your license agreement with the software vendor.
Whether any users are still running a particular software program. If users are not using the program, you could consider retiring the program.
What times of the day users are using a software program most frequently.
Question: Which types of applications would you want to meter in your organization?
Answer: Answers will vary. Possible answers may include Microsoft Office applications, line-of-business software, or third-party applications.
Question: Describe various scenarios where software metering can help determine software usage.
Answer: An organization might want to analyze the usage of an application, to determine whether it should upgrade the application based on usage.

45. How Software Metering Works
Course 10747D
How Software Metering Works
Module 4: Managing Inventory and Software Metering
Software
Metering
Agent
Monitored program 1 3 2 4
When you enable the Software Metering Agent, it:
Mention that software metering is, by default, enabled for the entire site, but that you can configure it within a Custom Client Device Settings configuration to target a specific collection.
In order for software metering to work, you must enable the Software Metering Agent. You may want to demonstrate how to enable the Software Metering Agent. Do note that this agent is enabled by default.
Describe the software metering process as outlined in the slide. Point out that the Software Metering Agent continues to collect usage data even when there is no connection to the Configuration Manager site, and will report back this information when the connection is re-established.
Point out that there are a number of methods that you can use to view the data, including reports, queries, and collections. Module 5 discusses queries.
Question: How does software metering work for portable computers that are not frequently connected to the network?
Answer: Metering data will be registered on the portable computer, and then uploaded to the management point the next time the portable computer connects to the corporate network.
Site Server 1
Collects data each time a monitored program runs and terminates 2
Uploads data to the management point on a scheduled basis 3
Forwards data to the site server 4
Adds data to the site database

46. Configuring the Software Metering Agent and Rules
Course 10747D
Configuring the Software Metering Agent and Rules
Module 4: Managing Inventory and Software Metering
To create a software metering rule:
Navigate to the Software Metering node 1
Create a new software metering rule 2
Provide relevant information for the program that you want to meter 3
Apply the rule to other sites if applicable 4
Explain the information in this animated slide.
On Display:
Explain how to enable the Software Metering Agent and set a software metering data collection schedule.
Click 1:
Describe the steps to create a new software metering rule.
Point out that if you type the executable name into the File name field, no checks are carried out to determine whether this file exists or whether it contains the necessary header information. When possible, use the Browse button to specify the executable file to be metered.
Click 2:
Describe how automatic software metering rule generation provides the ability to automate rule creation based upon software usage. Be sure to point out that automatically created software metering rules are, by default, disabled. Before you can begin to collect usage data from these rules, you must enable them.
Review the properties that must be set in the General tab of the Software Metering Properties dialog box, including:
Enabling the option to Automatically create disabled metering rules from recent usage inventory data.
Specifying the percentage of computers in a Configuration Manager site that must use a particular executable before a software metering rule for it is created automatically. The default value is 10 percent.
Specifying the number of rules after which no new software metering rules will be created automatically. The default value is 100 rules.
Configuring the period of time that software metering data is retained. The default value is 90 days.

47. Updated by Eddie Jackson
4: Managing Inventory and Software Metering
END
Abu Zobayer (MCT)
Updated by Eddie Jackson
Explain that you can use software-metering data in a number of scenarios, and that it can help determine:
How many instances of a particular software program users are using.
How many licenses of a particular software program you need to purchase when you renew your license agreement with the software vendor.
Whether any users are still running a particular software program. If users are not using the program, you could consider retiring the program.
What times of the day users are using a software program most frequently.
Question: Which types of applications would you want to meter in your organization?
Answer: Answers will vary. Possible answers may include Microsoft Office applications, line-of-business software, or third-party applications.
Question: Describe various scenarios where software metering can help determine software usage.
Answer: An organization might want to analyze the usage of an application, to determine whether it should upgrade the application based on usage.