So, what does the status quo look like?

If you are following my blog, you know I focus on systems management. If you’re new to my world, check this out for a primer.


When it comes to managing infrastructure, deploying content and enabling productivity – there is a right way, and then there’s everyone else. I’m not making the argument that this is a simple binary equation (e.g. either you are optimized or you are not). What I’m going to lay out in this piece are the signatures of an incomplete or immature strategy. It’s not meant to insult anyone, rather I have found in my hundreds of exposures to enterprise IT organizations that there are some key indicators upon which we can rely. Maybe as starting points, or in some cases, switches we can ‘flip’ to radically increase productivity.

Let’s take a look:

Indicator #1: Upgrade Hamster Wheel

So, something doesn’t work and the team thinks we need to upgrade to get it? Or maybe the vendor said “that feature is in our next release.” None of this is new to IT, but what you might be missing is how your internal maturity can affect this decision tree. That is, if you have a decision tree (zing!). 

More often than not, you are upgrading because you think you need a new feature or capability. Let’s back up the software truck a minute though, and consider how we got here.

IT Director says “Godfather (probably the CIO) wants Windows 10 on his desktop. When will it be ready?”

IT Admin says “Well, if I drop everything I can have an image ready by next month. But…”

IT Director says “Great! I’ll go tell him now (so I can look like I get things done)!”

IT Admin /logs off mentally

How many times have you seen this interaction in your IT organization? How many times has it happened to you?

There are sooooooooo many shiny things out there. Even this guy (points thumbs backwards) is known as Shadow IT ™ around the ITS offices. What can YOU do differently?

It’s pretty simple, but it’s not something the IT Admin or IT Pro can do (without some risk to themselves). Better decision making, and higher maturity, begins with the CIO. And that CIO should be embedding a process-driven decision tree framework in their directors and managers. I’m not going to give away all the secrets here, but let’s look at how that conversation goes in a higher-maturity shop:

IT Director says “Godfather (probably the CIO) wants Windows 10 on his desktop. When will it be ready?”

IT Admin says “Excellent, I’m also excited about Windows 10 and what it can do for our business. I have been thinking a lot about how we can streamline our patch compliance ops with Windows Updates for Business and that will be a key part of our Windows deployment strategy. Who can we leverage internally to build the business case? I’m happy to lead this effort and why don’t we aim for a presentation to the CIO in 30 days?”

IT Director says “Uh, yeah. That sounds good. I’ll set up the meeting (so I look competent at least) for you to present your findings.”

IT Admin /sips coffee, enjoys living in a world where decisions are not made outside of business processes and feels internal joy

You’re right though – it’s not that simple.

However, I will argue there are a few things that must be in place to ensure a better outcome. You may not think these are relevant to systems management, but they are.

Behold, thy truths:

  1. There are defined release and support cycles for operating systems
  2. There is a rapid-response protocol for new device form factors and use cases
  3. There is a cross-functional IT architecture team that drives all decision making for new releases
  4. Your business unit has an approved financial model in which you can evaluate the business benefits of any change or new release

Indicator #2: You always need consulting

I have been a consultant, and now I help manage an IT consultancy. Might seem crazy that I suggest this is a problem… let me explain why!

My view has always been that you shouldn’t bring a consultant in because you don’t know how to do something. You bring in outside expertise to get the benefits of their field experience and help accelerate your project. It’s about wisdom, not skill. We are all smart people… and frankly why would you pay someone else to push the Next button?

Anyways, where we see this problem become business-impacting is when your operations or project offices default to consulting for any change or incident. This is a leading indicator that your team is either under-staffed (meaning they don’t have time, and need outside augmentation) or unsure of how to proceed (there is a process problem).

The real point here is you should have a set process that includes a step to consider outside consulting. The process should not start with nor rely upon outside resources.

Indicator #3: FTE’s go up, but productivity does not

If you are an IT manager or director, you probably have a handful of key people that get things done for you. When a new solution is brought in, or IT expands operations, it is natural to take on additional staff to manage the new workloads.

There are a couple different ways to measure your productivity here: inside the IT team, and within the end user community. Let’s dive in:

IT Pros

Teams should have a defined set of responsibilities, and those should be matched against the available time and broken down by service or product owners. You cannot improve what you don’t measure, and if you’re not measuring you are stuck.

End Users

The ultimate metric for most systems management teams is the relative happiness of their end users. These are the folks that need apps & data to be productive. If you’re not giving them what they want, they way they expect and without compromises – you are probably losing traction with the community that can provide the most leverage for budget allocation – or worst case, your right to exist in the larger organization.

Give people what they want, or they will find someone else who will.

Indicator #4: Process questions are answered with vendor terminology

Finally, this one is a red light and air raid siren for most CIO’s. If you ask your team how something will get done, and the answer is specific to one vendor or product – you’re starting from the wrong place.

Systems and processes need to be born from hard wrenching the chanlleges to your business, not the tools or suppliers that help you deliver the necessary outcomes.

When you break it down to the most basic level, you need to define your why, which will lead you to developing the how. This all needs to happen before you start talking to vendors about how their offerings can help you deliver that.

An introduction to conditional access in ConfigMgr (current branch)

Do you want to keep non-compliant devices from accessing critical company data and prevent otherwise authenticated end users from opening their Exchange store from a non-compliant device, whether it is hosted or on-premise?

Oh snap, y’all.

Something relatively (but not, really) new in ConfigMgr is conditional access for managed devices. Now, this is not your father’s NAC solution, but rather a way for Microsoft to leverage the integration among its services to give you some push-button protection. I’ll do my best to explain how it all works, but you can read this TechNet article for a primer.

First component to this magic is Office 365. You may already be leveraging the mobile device management features that are built in. They look like this:

office protection center

While that is some really nice functionality, if you have ConfigMgr deployed and are feeling froggy – you can go waaaaaaaaaaaay beyond MDM.

Here’s where the conditional access chickens come home to roost, and your investment in Office 365 gets weaponized.

You see, when your Exchange and Sharepoint services are already in the cloud (remember, the magic IT thing?) and you have a management conduit to those services (a la ConfigMgr service connection points) that enables you to do unicorn-level rocket ship engineering with just a few clicks.

Hint: If you need some background on integrations available with ConfigMgr read this article on TechNet.

Let’s dig a little deeper and see how this works. The following diagram is taken from this TechNet article covering ConfigMgr 2012 R2 and shows the basic workflow for conditional access:

The first thing you’ll notice is that two things are checked before conditional access policy is evaluated:

  1. Am I targeted by a policy?
  2. Am I exempted from the targeted policy?

If you are not targeted or are exempted from that policy, then the device is permitted to connect to the service.

If the device is non-compliant in any way, whether that policy comes from Intune or ConfigMgr, or the device is not joined to an authorized domain it will be denied access to the protected service.

Why is this important?

It’s pretty simple – by combining ConfigMgr with Intune (and EMS!) and leveraging the conditional access feature set you are able to limit or deny access to services and data that properly authenticated end users would otherwise be able to obtain and potentially exfiltrate – with no additional systems or software.

Of course, there are some limitations and gotchas here – depending on the device operating system, whether the device is managed by standalone ConfigMgr or a hybrid implementation with Intune… and the specifics of your Office 365 subscription.

Interested? Make sure you check here ‘before you start’ start any implementation design.

SCCM 2012 & 2012 R2 Scalability Improvements

With the forthcoming service packs for SCCM 2012 and SCCM 2012 R2, you can now scale a hierarchy to 600,000 managed devices (50% increase from 400k) and a standalone primary site now can manage a maximum of 150,000 devices (also 50% increase from 100k).

We’ll be testing these scalability numbers over at ITS Partners in the coming weeks and I’ll update this post with our findings.

Support for SQL Server 2014 in System Center 2012 R2 Configuration Manager (SCCM)

Those of you installing shiny new instances of Windows Server 2012 R2 and SQL Server 2014 may be disappointed when you fire up prereqchk.exe and find out you can’t proceed with your ConfigMgr installation.

SQL Server 2014 is supported for CAS, Primary Site and Secondary Site databases in SCCM 2012 R2 with CU4+ but you must first install a previous supported release of SQL Server (e.g. SQL Server 2012 SP2) for installing ConfigMgr. After install, you may then upgrade your SQL Server to 2014.

The following footnote is found under Configurations for the SQL Server Site Database in the TechNet article Supported Configurations for Configuration Manager:

This version of SQL Server is only supported when you upgrade the install of SQL Server that hosts an existing site database to this version of SQL Server.

How are my customers using Symantec’s (Altiris) Deployment Solution and the Microsoft Deployment Toolkit in 2014?

We recently conducted a survey of our customers to understand how they are using various image creation and deployment tools available on the market. Our sample group contained a lot of long-time customers and included active deployments.

I have observed a trend over the past couple years of successfully leveraging MDT to build reference images (aka gold master, source) and then handing that image off to Deployment Solution 6.9 or 7.x for distribution.

Whether you choose DS 6.9 or DS 7.x comes down to your licensing investment, IT maturity and frame of reference on policy-based systems management tools.

Without further ado, here’s the data (via!

From infrastructure management to infrastructure security

The foundation of a layered approach to security for both core and edge is configuration management. For a long time now we have seen other IT darlings like security and process automation eat up any budget not consumed by your ERP project. I’d argue that you can’t really accomplish any of your organizational goals for IT operations without a systems management infrastructure that is reliable, relevant and accessible.

In a webinar delivered last month, I asked you to consider how Symantec’s IT Management Suite v7.5 can be leveraged to enable your risk management and compliance operations. Whether it’s knowing where your assets are being used (and by whom) or aggregating event data for your info management solution – ITMS probably has some tricks you haven’t seen. Check out the webinar on Symantec Connect at

Questions? Hit me up!