The rejuvenating updates embodied in System Center Configuration Manager 2007 R3 make the R3 release a must for enterprise organizations that already use SCCM and are moving to Windows 7. Even for organizations that are staying put on Windows XP, if SCCM is already in place, there are a number of management improvements that will likely tempt desktop managers including fleet power management, dynamic collections and Active Directory difference discovery. As with the R2 release, only organizations with Microsoft's Software Assurance can use the sprawling SCCM, which was released in October of 2010.
There are plenty of mature options available for IT managers when it comes to desktop and laptop management tools. Symantec's Altiris suite of deployment and management products is one. LANDesk, with a sweeping array of management, protection and reporting tools is another. At this point in the PC lifecycle, management tools are well understood and established fixtures in the physical management landscape. Thus, the main choice facing desktop managers when dealing with an entrenched management solution is whether the new features warrant stepping up to the newest version.
In general, the R3 version of SCCM streamlines management activities. One exception to this rule is the new power management controls. As with many aspects of SCCM, the effective implementation of this feature depends on the user system running some relatively modern version of the Windows operating system. You can assume that Linux and Mac systems generally are outside the scope of SCCM.
Power management depends on a phased implementation approach. I used a group of Windows XP SP3 and Windows 7 desktop and laptop systems in my tests. Following the best-practice guidelines supplied with SCCM, I first monitored power use as reported by the SCCM client that was installed on each of my monitored systems to gather reports on what constituted normal power usage.
As any IT manager who has attempted a power management policy, it is essential that normal usage patterns be understood before attempting to enforce power restriction plans. It was easy enough to gather these reports, and the power policy defaults are set to non-enforcement.
On both my Windows XP and Windows 7 systems it was possible to set and enforce various power-conserving usage plans using the same power plan settings that are available manually on Windows systems. For example, I was able to enforce a limiting plan that dimmed the display on my Lenovo ThinkPad after 15 minutes of idle time and put the system to sleep after 30 minutes of non-use.
In addition to slimming down user power consumption, Microsoft also reduced the amount of time IT managers will spend waiting for reports. Two new features, one called "Dynamic Collection Evaluation" and the other "Active Directory Delta Discovery," both operate on a principle of looking only at what is new or changed when reporting information. In using Dynamic Collections, I was able to scan for newly added resources including new users' systems, and systems that were newly provisioned with an operating system, among other characteristics. The scan occurs every five minutes, so IT managers should ensure these quick-but-frequent scans don't place an undo burden on network traffic.
Similarly, Active Directory Delta Discovery shows that Microsoft is getting smarter about using valuable server resources. Unlike Dynamic Collections, I was able to change the default five-minute interval used to discover newly added computer, user, security and system objects in Active Directory. Both these features are welcome tuning features that should help IT managers stay more up-to-date while not drastically increasing the drain on system CPU and network resources.
If your organization is going down the desktop compliance road, SCCM has gained increased policy and enforcement tools that can help. Make no mistake, desktop compliance is a sticky wicket to enforce and organizations that pursue compliance using SCCM should understand upfront the amount of time and effort that will be needed for successful implementation. The good news is that my tests showed that once a desired configuration was decided on, the tool set in SCCM will likely work to help get user systems back in line through the aggressive use of software distribution tools.
Because SCCM is big on operating system and application delivery, that is the enforcement approach of choice as opposed to user privilege restriction. When my systems went out of policy, as determined by a query of the SCCM database, I was able to advertise application packages to those systems. Both the query process and the advertising package delivery is complex and will require SCCM expert staff to implement. While the addition of desired state capabilities are a nice addition to SCCM, I recommend that these features be used in conjunction with other user right restriction products that help keep users from going "off road" in the first place.