The new version of Microsoft's Systems Management Server (SMS), which is being renamed System Center Configuration Manager (CM) 2007, allows an organization to manage the deployment life cycle of Windows computers centrally. This major release, which will be generally available in Nov. 2007, includes new features, such as support for Network Access Protection (NAP), as well as enhancements to features such as mobile device management. Many separately released features are now integrated into the main product. While existing SMS deployments can be upgraded, organizations may want to rethink deployment strategies and make changes to take full advantage of new and improved features.

What's New?

Major new features in CM 2007 include support for NAP and Wake on LAN.

Network Access Protection Support

Windows Server 2008 NAP allows IT administrators to block access to the network from computers that fail to meet an organization's security and configuration policies. For example, if an organization requires that all computers must have the latest security updates, then a computer lacking a security update is restricted from full network access until it complies.

Before requesting access to an organization's resources, System Health Agents (SHAs) in the computer's NAP client perform a series of health checks on the computer. The results are packaged into Statements of Health (SoH), which the NAP client then passes to System Health Validators (SHVs), server-side components from Microsoft and third parties that can analyze an associated SoH. For example, one SHA could check for security updates, create a SoH describing the status of updates on the client, and forward the SoH to the security update SHV for analysis. A second SHA could check the status of antivirus software, create a SoH describing its findings, and forward it to the antivirus SHV.

Each SHV generates a Statement of Health Response, which the NAP Network Policy Server uses to construct a System Statement of Health Response. The server then uses this statement to determine whether or not to grant the client access to the network, or to restrict the client access until it is brought into compliance.

CM 2007 can play two roles with NAP. First, CM 2007 can serve as an SHV, evaluating the software update SoH sent by the CM 2007 client in order to enforce the presence of software updates the organization deems as mandatory.

Second, because it is a tool to manage computers, including distributing software, CM 2007 can serve as a remediation server to bring noncompliant computers into compliance; for example, by updating software to the required versions.

Wake on LAN Support

CM 2007 servers can remotely wake up managed computers for update or inventory when the computers are on standby or turned off using the standard "magic" wake-up packets supported by some network cards.

Many organizations configure computers to reduce power consumption by putting computers into a sleep state or turning them off when they have been idle for a specified period of time. But these power conservation efforts conflict with the desire to implement configuration management changes during non-business hours to minimize the impact of updating on user productivity and network bandwidth.

Wake on LAN should work well with the CM 2007 maintenance window feature, which allows an organization to designate a time period during which maintenance tasks can run. Although they are not the primary scheduling mechanism for maintenance, maintenance or service windows are still useful because they allow administrators to prohibit maintenance until times when network traffic is at a minimum and the computers are not being used, minimizing impact on user productivity.

To support Wake on LAN with CM 2007, network cards in client computers must support the wake-up packet format (a requirement of the Designed for Windows Logo), and computers must be configured in both the network card and the computer BIOS to respond to wake-up packets.

What's Improved

CM 2007 also features integration and improvement of formerly separate features, and improvements to existing features.

Integrated and Improved Feature Packs

Some features, such as desired configuration management (DCM), mobile device deployment (MDD), OS deployment (OSD), and asset tracking, were previously not included in the product but were available as either a feature or service pack. They are now included in the product.

Desired configuration management. Originally named SMS 2003 DCM and released as a Business Solution Add-On for SMS 2003 SP1, DCM allows an organization to schedule comparisons of a desktop computer or server's current configuration against best practice configurations from Microsoft and other vendors, such as guidance that Microsoft has issued for Exchange. DCM can also verify the configuration of new computers before the computers go into production. It will also identify deployed computers with nonauthorized configurations, including missing critical updates. This prevents drift toward incorrect or suboptimal configuration, which can happen because preset options do not work in all cases and users and administrators do not understand how to best configure all the options.

Administrators can build customized DCM configuration baselines that define settings for the following:

• OSs, to determine compliance with a particular OS version and settings
• Applications, to determine compliance with a particular application version and settings; for example, ensuring an application is installed
• Software updates, to determine compliance with required software updates
• General configuration issues, to determine compliance for all other settings not related to the OS, application, or software updates.

Although customers can build their own configuration baselines, many will simply want to import configuration baselines that others create. For example, Microsoft will provide a Web site for CM 2007 configuration packs, which encapsulate recommended configurations and best practices for Microsoft products such as Exchange Server. Microsoft has also licensed content from partners such as Brabeion to provide configuration packs to help monitor the configuration of computers in the context of regulatory requirements, such as the Federal Information Security Management Act, the Health Insurance Portability and Accountability Act, and the Sarbanes-Oxley Act.

Mobile device deployment. Originally part of the SMS 2003 Device Management Feature Pack, MDD gains support for devices based on the following platforms: Windows Mobile 2003 Smartphone, Windows Mobile for Pocket PC 2003 Second Edition, and Windows Mobile 6, Standard, Classic, and Professional Editions. MDD will now allow an organization to manage mobile devices over the Internet.

If an organization has deployed any device management scripts, these scripts will not run because the device management script engine has been removed in CM 2007. Few organizations have created such scripts; those that have or that want to will need to use the .NET Compact Framework and a .NET language to replace the script's functionality.

OS deployment. First released in a feature pack for SMS 2003, OSD tools capture Windows Image (WIM) format file images, perform user state migration, and deploy images to computers managed by CM 2007. OSD uses a driver catalog to help manage the complexity of deploying an OS in an organization that has different types of computers and devices. For example, administrators can create a driver package for each type of computer manufacturer they need to deploy. Storing device drivers in the driver catalog and not with each individual OS image greatly reduces the number of OS images required.

In addition, OSD includes a new task-sequence editor to help administrators customize the distribution and configuration process. Task sequences can perform multiple steps or tasks on a client computer at the command-line level without requiring user intervention.

Asset Intelligence. First introduced in SMS 2003 SP3, the Asset Intelligence technology inventories managed computers using a database of software "fingerprints," which can be downloaded from Microsoft, and then identifies various hardware components and software titles and versions. Asset Intelligence provides more accurate and detailed scans of PCs than SMS 2003 originally did, particularly for software that doesn't register itself properly in the Windows Add/Remove Programs component. It thus facilitates the tracking of Microsoft software application licenses via compliance tracking reports, which should allow an organization to better evaluate its licensing usage and needs. New features include new license management reports (including a License Ledger feature that compares license usage with Microsoft License Statements), tracking of USB device usage, and reporting on software or hardware changes that occurred between inventory cycles.

Updated Features

Many features, such as software updates, software distribution, and the administrator's console, have been updated.

Software updates. Introduced with SMS 2003, software update tools manage software updates to computers running Windows desktop OSs. Administrators can now use Windows Server Update Services (WSUS) 3.0 to get updates for deployment via CM 2007.

Software distribution. This longstanding feature of SMS allows administrators to deploy software to managed computers and is improved in CM 2007 by a new role, the branch distribution point, which can be run on a client computer. This allows small offices to benefit from centralized updating without requiring them to maintain a server.

Administrator console. In the past, administrators performing multiple tasks often started multiple consoles from which to manage and configure SMS. The CM 2007 console is now multithreaded so that administrators can perform several administrative tasks simultaneously.

Infrastructure Changes

CM 2007 and SMS 2003 can interoperate with minimal problems, although the CM 2007 console cannot be used to fully manage an SMS 2003 primary site, and using the CM 2007 console to manage an SMS 2003 secondary site has some limitations, such as the inability to change accounts or passwords of the secondary site.

Although SMS 2003 clients can be assigned to and will be fully interoperable with a CM 2007 site, assigning CM 2007 clients to SMS 2003 sites is not supported, and the clients will not function properly.

There are two different strategies for upgrading from SMS 2003 to CM 2007. In-place upgrades are generally easier and are best suited for organizations that do not want to modify any computer hardware currently in use in SMS 2003 sites, do not want to make any site boundary changes, and do not want to reassign clients to new sites. Side-by-side upgrades may be appropriate if the organization wants to deploy new hardware, revise the site boundaries, or rearrange sites and clients within the site hierarchy. A mixture of in-place and side-by-side updates can also be used.

Organizations will want to examine which new features they want to use, such as the new branch distribution server or SHV roles, and then take into account any changes the new roles might require for the site hierarchy or boundaries in order to help them decide on the right upgrade strategy.

Although Microsoft has officially changed the product name to Configuration Manager, many services, file names, shared folder names, and CM 2007 groups still retain an SMS abbreviation-based name to ensure backward compatibility with management scripts. For example, the provider is still called the SMS Provider, and many status messages still refer to SMS because the messages could apply to an SMS 2003 child site.

Availability and Resources

An evaluation version of System Center Configuration Manager 2007, which can be upgraded to a fully licensed version, can be downloaded from technet.microsoft.com/en-us/configmgr/bb736730.aspx.

Prerequisites for installing CM 2007 are detailed at technet.microsoft.com/en-us/library/bb694113.aspx.

The Configuration Manager home page is www.microsoft.com/smserver/default.mspx.

Detailed documentation for CM 2007 is available through TechNet at technet.microsoft.com/en-us/library/bb680651.aspx.

Configuration Manager 2007 licensing information can be found in "Configuration Manager Licenses More Costly, Restrictive".

Microsoft will be publishing configuration data for its software, as well as from other software vendors and solution providers, at the Microsoft System Center Configuration Manager 2007 Configuration Packs Web page at https://connect.microsoft.com/content/content.aspx?ContentID=4530&SiteID=16.