Configuration Manager Current Branch and Windows 10 1607


Some useful information that can help determine if you are on the correct version to deploy Windows 10 1607.

Configuration Manager and the Windows ADK for Windows 10, version 1607




Configuration Manager Assessment

Things to consider when doing a Configuration Manager assessment:

Network environment:

What does your network topology look like?

What are the  WAN link speeds, network latency and bandwidth?

What network infrastructure and security devices are in place?

What ports and protocols are allowed through these devices?

What are the usage patterns for network resources, network utilization?

At which locations will you provide services?

What client systems are at each location?

How many devices are to be managed in total?

What users are at each location?

How do external/remote users connect to the corporate network?

Is support for 802.1X authentication required?

Is there a PKI implementation?

Is a POC environment available?

How are change requests handled?

Active Directory environment:

Do you have multiple AD forests?

What are the trust relationship if so?

Will you support computers in workgroups?

SCCM Operators

Who will use the system?

What tasks will they be required to do?

Server and Data Center infrastructure:

Is server infrastructure centralized in a few large data centers or is it distributed?

Are some data centers better connected than are others?

What are the hardware standards?

Is virtualization preferred?

Installed client base and hardware refresh cycle:

What is the hardware and operating system (OS) mix for the installed PC base?

How are new systems imaged?

Is PXE booting  to install images required?

What mobile devices are in use?

Is there a need to support embedded systems?

How often are systems replaced?

Are users allowed to bring their own systems?

Is there a planned OS upgrade?

Who are you deploying Windows to or for?

What OS are you deploying?

What applications do you want to deploy with the OS?

Will this be different for different user or system roles?

To which hardware models are you deploying the OS?

Will you support mobile device client such as smartphones, or Internet-only clients?

Will App-V be enabled for deploying virtualised applications?

How are clients being updated with Windows patches?

Are third party update patches required?

Existing SQL Server deployment:

Will you be using existing SQL servers?

Do these systems meet ConfigMgr requirements?

Are SQL servers clustered?

Are SQL reporting services deployed?

Storage and backup infrastructure:

What storage technologies are in use?

How is data replicated between storage systems?

Details of the design such as optimum server placement, hardware configuration,

and client installation methods depend on the IT infrastructure and services you

have in place.

SCCM Cross Forest support

Here are some points about cross forest support

A two way trust is mainly for adding a child primary or secondary site in a remote forest.

To consolidate devices in a remote forest with an existing Site no trust is required.

To allow remote forest support in a existing Primary

These are all configurable from the console and we can use a specific account to connect to the remote forest (so a trust is not actually required) we obviously need to allow the required network traffic.
So to summarise, the goal is to

• Discover the forest and publish Configuration Manager Site information into the forest.
• Configure AD System Discovery to run against the forest.
• Configure Client Push Installation to work in the forest.
• PXE boot clients for OSD

Configuration Overview –

• Add the forest to the Active Directory Forest Hierarchy Configuration Node in the ConfigMgr console. This will discover information about the forest such as sites and subnets and also allow us to further configure publishing to this forest.
• Publish the ConfigMgr 2012 site information into the remote AD forest. The Active Directory of the forest will require the CM 2007/2012 schema extensions and the System Management container will need to exist prior publishing.
• Configure System Discovery for the remote forest.
• Ensure that boundaries have been created that will represent each client in the remote forest and that these boundaries have been added to a configured boundary group.
• Configure Client Push Installation with an account suitable for client installation in the remote forest.
• Deploy clients
• For PXE use iphelpers which is the prefers method to allow clients to fine the PXE server
• Deploy PXE DP in remote forest

Point to consider
Application Catalog web service point, which must be installed in the same forest as the site server.
firewalls must allow the network traffic even when the site server initiates the transfer of data.

Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the sites SQL Server:

• Asset Intelligence synchronization point
• Endpoint Protection point
• Enrollment point
• Management point
• Reporting service point
• State migration point

The management point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must configure the site system role connection account to enable the site system role to obtain information from the database.

If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site:

• Management point: Management Point Database Connection Account
• Enrollment point: Enrollment Point Connection Account