I finally have a few minutes to do a brain dump. I finished my drum pad practice work (complete with imaginary stage performance, spot lights and pyrotechnics), smooched my little dogs, pet the cat, took a shower, and ate real food. It was amazing.
So… I’m probably not the busiest consultant working with Microsoft products, but I’ve combined my personal exposure with discussions among colleagues and mixed them with a few gallons of coffee, some mixed drinks, and a few banana muffins, and pulled this mess out of my, err, uhhh, head.
What Customers are coming at us with right now…
- Windows 10 Deployments
- Software Updates Management
- Endpoint Protection
- OSD PXE with UEFI
- Health Issues within SCCM sites
- EMS/Intune and SCCM
Windows 10 deployments are still pushing heavy. Many are combined with Office 2016 or Office 365 roll-outs as well. Most are on Windows 7, with a small number of Windows 10 pilot installations and maybe a few Windows 8.1 tablets, with a large percentage being driven by concern over missing the upcoming “free upgade” deadline. However, many are also interested in the feature improvements, ease of upgrade, and the new UX.
Among the most common negative comments I hear about deploying Windows 10 into a business environment are suppressing or removing features like Cortana, Edge and all the Start Menu apps (Money, Weather, Sports, XBox, Phone Companion, etc.). While these features are probably very useful to many customers, most businesses I deal with want them stripped out or hidden from users. I’m not a sales guy, I’m a wrench-turner, so I explain the features and what they can do, and then do what they insist.
One particular area that I seem to spend time with is helping customers plan, test and implement custom Start Menu configurations. The mix of PowerShell, Group Policy, MDT/SCCM and so forth is a bit of a cludge (or is it “kludge”? Heck, I don’t know). A more cohesive (yes, I use that word too often) model would be helpful. Maybe a WinSIM-like tool to model the layout more intuitively and some hooks to help spew it out via MDT/SCCM or as a GPO. I’m too tired to read that last sentence and validate it makes sense.
Software Updates management is always high on customer requests. I say “management” because it’s usually broader in scope than how to implement and use WSUS or ConfigMgr SUP features. Customers want advice on “best practices” for managing software updates. That means dealing with challenging maintenance windows, business operations schedules, weird product configurations, and almost always how to handle servers versus client devices. Oddly enough, this is one area that is lacking in terms of available content on the Internet (notice to book authors, cough-cough).
There’s plenty of info on “what”, “how” and “where”, but not as much on “why” or “when”. What would be useful would be scenario-based examples that use real industry situations. For example, how to manage updates within a hospital, as opposed to a manufacturing or food-processing plant. Another would be comparing small, to medium to large business environments, for example, a grocery store as opposed to a real estate office or a shopping mall.
For example, I know one customer who HAS to abide by a manufacturing process that dictates a 23 hour run schedule, followed by a 2 hour “downtime” window. The process does not stick to a 24/7 frequency. Try modeling that in most scheduling tools. Then another who relies on server products that aren’t cluster aware, and have only one instance, even though it’s on a VM. Like I said, there’s plenty of pieces out there, on working with the tools, but not much that rolls it all into scenarios like this.
Endpoint Protection was pretty quiet (from what I saw anyway) for most of the past year, but this Spring and Summer it has picked up considerably. Many are looking to cut subscription costs for third-party anti-virus products, and EPP is pretty appealing from that aspect.
While it’s not an unusually complicated feature to deploy, it does confuse customers who are used to McAfee or Symantec as to how it works with the SCCM client on Windows 7 versus Windows 10 or Windows Server machines. The policy templates are helpful, but many don’t realize it’s easier to customize them in a text editor than in the console.
OSD with PXE on UEFI devices is another area customer are trying to wrap their heads around. The DHCP environment and network engineering aspects are about as difficult as the BIOS vs. UEFI device configurations. Many are still spending time running devices in BIOS legacy mode to get them off the workbench on time, so that’s something many hope to see more tutorial articles about how to deal with DHCP scopes, vendor class configurations, and so on. The articles are out there on each piece of this puzzle, but not as much out there that rolls this into a nice series approach.
SCCM Health Issues never go away. The most common things I see during health checks:
- Incorrect site boundaries, incorrect boundary group configurations
- Using IP subnet ranges which overlap or leaving gaps
- Using AD site configurations which are hosed
- Missing or misconfigured site system references
- Not using DP groups
- Poorly configured Applications and Packages
- Replicating way too much content than is necessary
- Poor directory structure management
- Disabled or misconfigured site maintenance tasks
- Ignoring SQL maintenance
- Ignoring RBA account controls (too many admins)
- Poorly designed hierarchies
- CAS when not required
- Secondaries when not required
- DP placements (or lacking thereof)
- Unreliable backups
- Site status and component status queues
- Ignoring errors and warnings
- and chasing down errors/warnings
- Site System Server maintenance
- Lack of disk space (keeping disks clean)
- Under-sized host configurations (CPU, memory, NIC’s, etc)
- Missing Windows, ConfigMgr, and SQL Server patches and hotfixes
- Misconfigured services
- Too many garbage apps installed on servers
- Too many users logging onto servers too often
- DNS issues
- Misconfigured zones
- Updates and Scavenging
- Antivirus exclusion settings (regardless of AV product)
- Users with local Admin rights doing stupid things to their computers
I have to say that most of these aren’t the result of intentional neglect. Most shops (and I’ve blogged about this many times) are in the throws of “role compression” (aka “salary compression”), which results in shifting to a 24x7x365 fire fight, rather than striving for operational efficiency and proactive research.
More and more IT admins and engineers are doing more and more job roles than they were 10 years ago. Management is happy because they get one mid-range salaried engineer doing the work of 2 engineers and an architect, but in reality, they rarely get one of those roles under control. I could go on for days on this (and if you buy me drinks I just might).
EMS, Intune and SCCM integration projects have been fairly frequent this past year. Reasons vary from having Office 365 or Azure subscriptions, and wanting to leverage additional features, to migrating away from third-party MDM/MAM solutions (no names, but you probably know who they are).
This often goes into more discussion about head-to-head comparisons of specific features and capabilities, which is where my mind wanders into daydreams about winning the lottery and buying that hot pink, Hello Kitty theme, armored M/RAP with twin .50 caliber miniguns and a flamethrower. Wait… where was I? Oh yeah, mobile device management.
Anyhow, I dabble with Intune but I typically defer to one of our EMS architects to operate on that beast. I’m fine with the simple SCCM integration part.
If I had to toss in a few other challenges it might include:
- Inconsistent, inefficient or non-existent processes
- No clear configuration baselines
- No COE policies (very bad!)
- Incomplete documentation (mostly “what” but no “why”)
- Outdated imaging processes
- Whole-disk snapshot imaging (fat image, Ghost, Acronis, etc.)
- Too much crap in the reference image
- Missing updates in base images (longer patch times afterwards)
- At least consider MDT!
- Lack of objectivity
- Trying to implement configuration controls solely in the image
- Not using Group Policy where it makes sense
- Spending too much time managing app deployments
- Ignoring Software Center and user-driven (self-service) install processes
- Not evaluating when scripts or task sequences are a better fit for certain app installs.
- Lacking Google skills
- Plenty of clear-cut, easy to follow examples for automating many tasks
That’s about it.
And now, I need to crash…