MMS 2017 is a few weeks in the rear-view mirror at this point, and now that I’ve had some time to mull over everything I learned and the experience in general I wanted to put some of those thoughts and takeaways out there for those who couldn’t make it. This will be a two-part post; part one containing my thoughts on the conference and part two containing interesting things I learned in the various sessions.
Windows 10 obviously had a strong showing in session count and content, with a strong emphasis on what it takes to get an enterprise moved over to the new hotness. The biggest and most important take away is that the old ways are not going to work for you going forward. No more skipping every other OS and doing big OS rollouts every 5 or so years. Windows 10 is the last big scary change; it’s all incremental from here on out so you might as well wrap as much positive change as you can with that big bang. Things like throwing out your redundant third-party security software, finally taking away admin rights, and getting rid of that old EOL software you’ve been meaning to kill.
Just when we were getting used to Current Branch/Current Branch of Business, they go ahead and change it again to Semi Annual Channel Pilot and Semi Annual Channel Broad. Just rolls of the tongue doesn’t it?
With the latest version of Windows 10 (v1703) and the newest ADK, there is a new tool called MBR2GPT. This tool is going to help with those in place upgrades and getting your devices over to UEFI. Why is that important you ask? Basically every new security innovation in Windows 10 requires it (Secure Boot, Credential Guard, Application Guard, Device Guard). Mike Terrill has an excellent post on this.
MMAT is something that was totally new to me from this conference, and something I’ve flagged as needing to research further. From what I gather, the tool analyzes the applied group policy items on a workstations and tells you which could be migrated to a MDM policy. This could be huge in helping to identify what if any blockers there would be to moving away from group policy into a full modern management style solution
A bright spot of the conference is always Steve Thompson’s SQL talks. It’s a subject I don’t know nearly enough about so I appreciate the chance to dive in a bit. A couple of key points from his talk this year:
• Make sure disks are formatted with 64kb block size
• Play with MAXDOP settings, may have benefit (Default is 0, 1 disables it, some large orgs set theirs to 2)
• Use Ola’s script, index weekly, rebuild stats daily. Steve has a great article on how to implement it.
• Keep an eye on Virtual Log Files, hundreds OK, thousands not so good. Read more about this here.
The Configuration Items Dissected session showed off a ton of really useful CIs, and the best part is they put them all up on GitHub for people to steal. If nothing else, look through them to get ideas for your own CIs (and then share them!).
Kim Oppalfens had what I’m assuming was a pretty great session on Collection Evaluation that I wasn’t able to make it to. I did glean some good info out of the slide deck however. The importance of using indexed fields in your collection queries was discussed, with one example given of using the “ProductName” field instead of the “ARPDisplayName” field. Just making this simple change cuts processing down from 102 seconds to 6 seconds, amazing. They also went into a fairly complex formula for determining how many incremental collections you can have. The Microsoft recommendation has always been no more than 100 collections with incremental updates. Turns out there is quite a bit of wiggle room as that is accounting for roughly 7000 “changes” occurring during the incremental update threshold. If your environment isn’t changing that frequently you can probably get away with more. Examples of “changes” given included HW Inventory, Discovery, and LastPolicyRequest information.
With the Wannacry malware on everyone’s minds, many sessions went over the importance of disabling SMBv1. There is a CI for it on GitHub. The importance of BIOS/Firmware updates was stressed, which in all honesty is something that I (along with most people I imagine) never really considered. Gary Blok has some really good posts about how to go about updating this in a sane manner.
For those of you interested in running ConfigMgr in Azure, there was a sessions that went into how to go about that in great detail. They recommended using DS4_V2 VMs for the Primary Site system and FS class servers for the various site system roles. The also broke down the estimated cost of the VMs which wasn’t quite as high as I thought it was going to be.
Cool Tools and Links
Just some other random links and tools mentioned in various sessions. I’ll update this section as I come across new links.
Session Download Script – https://github.com/forevanyeung/CopyMMSFiles
Steal These CIs – https://github.com/npherson/StealTheseCIs/
Detect Secure Boot during TS – https://miketerrill.net/2017/05/30/bios-and-secure-boot-state-detection-during-a-task-sequence-part-2/
Install MBAM using a script – http://blog.coretech.dk/hra/use-powershell-scripts-to-installupgrade-mbam/
Advanced ConfigMgr Logging – http://www.oscc.be/sccm/configmgr/logfiles/advanced%20logging/debug%20logging/verbose%20logging/mmsmoa/Advanced-SCCM-Logging/
Reg file to powershell check/remediation script https://reg2ps.azurewebsites.net/
Remote Compliance tool https://gallery.technet.microsoft.com/ConfigMgr-Remote-Compliance-2a9e55f3
Community Tools Links – http://ccmexec.com/2017/06/links-from-exploring-the-wealth-of-configmgr-community-tools-at-mms/