In this interview, I asked Wally Mead to reveal how to upgrade your security thanks to new and powerful features in the ConfigMgr.
When most think of System Center Configuration Manager, there’s a one person that comes to mind: Wally Mead.
Paula:
I’m pretty sure that if you are interested in deployments you’ve seen Wally Mead speaking before at the various conferences. Wally is a Principal Program Manager at Cireson and he’s also engaged in different kinds of blogs, forums.
Can you give our listeners what would be the blog?
Wally:
I used to do a lot on the TechNet forums, but now I primarily work on our Cireson, and we have our own community site, which is kind of like a TechNet forum, but it’s at
Cireson.com. You can get to the community from there, and I help answer questions on our internal products for the customers as well as Configuration Manager questions.
Paula:
That’s cool, and Twitter? Do you tweet?
Wally:
Paula:
Okay, that’s great. So you should, guys, definitely check out. And as far as I know you’ve been 20, 22 years in Microsoft, right?
Wally:
22 years at Microsoft where I started with SMS before it was called SMS.
In the first initial stages of SMS 1.0 all the way up through Configuration Manager 2012 R2, I think, is when I left.
Paula:
So you got the knowledge directly from the source?
Wally:
I had very good access to the source, yes.
Paula:
Do you still cooperate closely with the Microsoft guys?
Wally:
I do, I have lunch with a number of them occasionally. I get to meet with them and they’re very kind to answer my questions if I email.
Paula:
That’s perfect, yes. So, well, today I’ve got a couple of disturbing questions about ConfigMgr.
Wally:
Oh, it’s disturbing.
Using Configuration Manager as a security tool
Paula:
How often do you see security being part of deployments with ConfigMgr or in general?
Wally:
Most people don’t think about Configuration Manager as a security tool, but there are a couple different ways you could look at it. One is, you have to secure your environment itself. So the product group has done a very good job of making sure that Configuration Manager itself is secure. For example, when there are different configuration settings, they always go with the most secure setting by default and then let the administrator opt out to change that if they want to. And then they architect it to try and be as secure as possible, making sure that the administrators have rights to only do what they need to do in the console. More importantly, what people usually think about Configuration Manager is how they can use it to help secure their environment, and traditionally the most common thing that people think about Configuration Manager in that aspect is deploying security patches.
It has been great for a number of years to be the mechanism to keep your Windows environment up to date, with the identification of security patches, downloading them, preparing them, and then getting them delivered out to your clients according to your administrator settings.
Configuration Manager feature: Automatic Deployment Rules
Paula:
Well, from our side, we see a lot of companies that, for example, have Configuration Manager but they’re not that much up to date. Is it very difficult to manage this?
Wally:
If they put the time and effort into it … Configuration Manager actually has a really cool feature called Automatic Deployment Rules, which are basically an enhancement on WSUS Automatic Deployment Rules or whatever they call them, Automatic Approvals, that will help automate the process. So once you configure your rules, Configuration Manager will automatically find the updates that are appropriate, download them for you, package them up, and then create the deployment to get them out there. So it’s really the investment you have to prepare those rules the way you want them, get the updates downloaded and deployed as you want, and then just do your monitoring from there.
Paula:
So I guess like, being an administrator in a company having a lot of stuff to do, that’s not really the task that you are able daily to spend your time. Maybe that’s where the problem comes from, right?
Wally:
Right, and that’s where the Automatic Deployment Rules really help: to automatethat and get you so that you can now start concentrating on other aspects of your environment without having to worry about your day-to-day security needs.
Paula:
What would be like your prediction for the time that has to be spent, for example, daily to take care of that process in a company?
Wally:
Honestly, not much. It’s if you don’t keep up to date then it’s a big struggle because the world is evolving daily as far as security issues, and trying to keep up to date, then it gets to be much more of a pain. And then you want to try and get antivirus software out there, anti-malware, you want to try and secure your desktops, you want to secure your mobile devices, all those things jump into the play, and then they distract from keeping things up to date and getting everything implemented the way you want. So most people try and tackle the thing that’s high on their minds, or what the CEO says, “Hey, you got to make sure you do this.” They’ll focus their energies on that, then when they find the spare time they’ll jump onto something else.
System Center Endpoint Protection as a tool to use for vulnerability management
Paula:
That’s a good point. What about the System Center Endpoint Protection? Because I found that this particular solution is a pretty cool tool that you can use for vulnerability management. So what do you think about this one?
Wally:
Yeah, it’s very good. When we first created it in the Configuration Manager and started implementing it, most people didn’t use it, but it’s not because of lack of features – it was more that they already had a contract, a license, with a third party vendor, whether McAfee or Symantec or whoever. And they already had spent their hundreds of thousands or millions of dollars on that, so they wanted to finish off what they had. So once their license was expiring, then they would go and look at the free solution from Microsoft that integrates great with ConfigMgr. They would do a comparison and, “Wow, it does essentially the same thing and I can get it for free versus spending hundreds of thousands of dollars a year.” Then they would start migrating over and find out, “Hey it does the exact same thing that the other guy did. And gives me better reporting because it’s built into the console with Configuration Manager.”
Paula:
Yeah, definitely. There are many types of tools that are out there that you have to pay for additionally that are performing the software scanning and so on. All that stuff can be done within the ConfigMgr, right?
Wally:
Right, right. And ConfigMgr, just about every release they add new settings to endpoint protection to help control or identify more Malware, as well as give you more administrative controls over what you do when the age it finds something it’s not sure what to do with.
Security features in the newest release of Configuration Manager
Paula:
Okay, cool. And what about the security features that are introduced in the newest release of ConfigMgr? Is there something valuable from the company’s perspective?
Wally:
Well, there’s a lot of things. I just did a session yesterday and all the things that have happening current branch since it released, and a lot of those were security related. Especially, the world has been going mobile now, and as you start integrating with Microsoft Intune into ConfigMgr, there’s a lot of settings in there to help you lock down your mobile devices. That’s one of the first things people want to do, is when they want to bring their mobile devices in, they want to get access to email, but the company wants to secure that. So you start locking down the device to have specific pin requirements, or password resets, or whatever it is. That’s a great capability in Configuration Manager to lock down those mobile devices, but they’re starting to carry that through to the desktop platforms with conditional access. You can’t get access to your email until your PC meets certain requirements that the administrator has set for you.
There’s Windows 10, a lot of integration there with managing the updates of Windows 10, creating servicing plans and servicing rings to help get new builds of Windows 10, which are even more secure by default, deployed out to appropriate pockets of environments or users, meaning your collections, at designated time periods. Integration with Windows Advanced Threat Protection. So the endpoint protection is great to keep things from happening, but if something does happen, then Advanced Threat Protection helps you identify what did happen and figure out how to prevent it in the future. A lot of cool things happening there. Upgrade analytics, as well as a lot of new dashboards in the console to make the information you’re getting from ConfigMgr more readily accessible to those that really need it, such as management who doesn’t want to look at statistics in a chart, they want to see a graph that’s pretty.
Paula:
Yeah, exactly. Does it look the same like in OMS?
Wally:
Yeah.
Paula:
Sort of like the pretty graph where you…
Wally:
Correct, for management.
Paula:
Actually, I was in a meeting with the management, and I was showing some part of this because we had some security project to do, and this is something that they really loved because it’s pretty.
Wally:
Yeah, yeah.
Paula:
It’s pretty, it’s meaningful, and for them, it’s like, “Oh, all green.”
Wally:
Right, right. They look at the red versus green and yellow, yes. And that’s a cool thing that ConfigMgr has done over the last couple of releases, specifically the last one, was in the area of patching, they have a new feature called Server Groups, so the ability of, in essence, taking a collection of clients, which could be desktops, your laptops, your servers, and treating them as a cluster so that you can control the patching order of them. So I want to make sure that my domain controller gets patched first, then it’s my site server, then it’s my IIS web server, then it’s whatever other. But you can control the order of those, and it will only move to one after the previous one’s finished completing. So you have a lot more control over how the patching process happens in Configuration Manager now.
Paula:
Yeah, that’s definitely something that companies should look at because, as I said, we often see in the penetration desk for example that there is System Center, and they’ve got it, so it’s like they’re halfway to the success, right?
Wally:
Right, right.
Consulting company: the best people to learn from
Paula:
But then they are not doing anything good because it’s so difficult for people that are like performing regular administration and they simply have no time.
Wally:
Right, right. And all these products there, they’ve got tons of power to them as you state, but they do take a little while for the learning curve to get up to speed with them to figure out how to implement this solution that you want, get my environment more secure. You can easily do that, it just takes a little bit of time and effort to get there.
Paula:
So I was, well correct me if I’m wrong, but I would say that the easiest way to keep it rolling is to just invite a super specialist that can do this for you, because then someone comes over, analyzes your environment, is like, “Okay, rules going to be like this,” then you guys just move forward. Besides like just keeping system center, doing nothing within the company, right?
Wally:
Yeah, you may need to go to either training, to get yourself up to speed which is great, but if you don’t have that opportunity, the time, or whatever. Then certainly getting a consulting company in there that can help you with that. A consulting company that has the expertise, that can easily do your analysis of what your current solution looks like, where your gaps are, then help you implement what those remediation schemes are to get you to where you need to be.
Paula:
And that’s what you guys do?
Wally:
We can do that, yes.
When you want to work more with the Configuration Manager you need to…
Paula:
Okay, cool. So two more questions that are more from the soft area. The first question is, if someone is young in the industry and they’re like, “Okay, we want to do deployments,” they work in the enterprise, they just start their career, what is the skillset do you think that this person should have in order to just start, jump to the field, and so on?
Wally:
Well if they’re a
young, new person, then they probably got a lot of the skillset which is mobile, because they live on their mobile devices all day long and that’s the way the world’s going, so they got a great start there. But as far as the rest in Configuration Manager space, it’s
spending some time with the solution. Again, whether it’s training, or whether it’s attending a training class or self-learning on the
TechNet Virtual labs or
Microsoft Virtual Academy sessions that they have out there.
Paula:
That’s a good resource.
Wally:
You need to spend the time to learn the solution because it is very complicated. I was there for 22 years and I still don’t understand everything about Configuration Manager. So nobody does, so don’t get your hopes up that you’re going to get there because nobody is going to ever get there. It just takes a while, long time. Plus, theyrelease new versions every four months now, and things change every single release, so it takes a long time. So just got to be patient, take small chunks, bit off those small chunks, get to the point where you’re comfortable in mastering one of them, then move on to the next area.
When you’re more advanced with Configuration Manager you can…
Paula:
Sure. And what about the guys that have already a lot of experience in infrastructure? Like for example, administrators that want to master application compatibility, et cetera, what would you advise them?
Wally:
Yeah, that’s kind of the same as the new guys, just that you’ve got more of the background behind Configuration Manager or whatever your other solution is, so now it’s just a matter of delving into this new area, but it’s going to be easier for you because you’ve already got the background in what the solution can do for you. So now it’s just a matter of picking up applications versus packages or picking up endpoint protection from your old solution that you had. You’ve already got the background, the knowledge, it’s just a matter of now the specific implementation details for this one solution. So it’s just taking the time and devoting the effort toacquiring some new knowledge and getting to a point where you feel like you’ve mastered it.
Paula:
Perfect, thank you so much. So a couple of words regarding summary. We have talked about:
- The possibility of implementing security within the ConfigMgr so that we can do the deployments with the different kinds of security settings.
- The new features that are in the newest release of the ConfigMgr.
- Endpoint protection as a pretty cool way to perform the vulnerability assessment, if I could describe it this way, to be able to analyze different types of versions of applications, and if there’s something wrong, we’ll be able to immediately spot that and eventually deploy the updates for the versions that are already outdated.
Thank you, Wally Mead, for being part of this interview. It was very insightful. I hope that you will like it too, and if you’ve got some questions to Wally, to myself, regarding this interview, make sure that you’re going to post them in the comments section below