SCCM Application Management

Microsoft System Center Configuration Manager (SCCM) has been considered an exemplary tool for managing
Microsoft applications. It does both patch management and software deployment seamlessly. But handling third-
party applications isn't its game. That's why, in addition to patch management, Patch Connect Plus also equips
users with third-party software deployment for SCCM Application Management. You can find a step-by-step
document that explains SCCM application deployment in detail from our knowledge base!

How to manage third-party applications in SCCM

SCCM has a dedicated 'Application Management' tab, found under 'Overview' situated to the left side of the
console. This tab contains multiple options that help admins manage Microsoft applications, store licensing
information and create application packages for deployment. Patch Connect Plus leverages SCCM's application
management functionality to streamline the deployment of third party software to client machines. The unique set
of tools allow SCCM users to distribute third-party applications right from the SCCM console.

Here's how Patch Connect plus supplements SCCM application manager.

1. A vast repository of third-party applications

2. Pre-defined application templates
3. Pre/Post deployment scripts

Applications repository
Patch Connect Plus is backed with a strong 300 plus-application-repository that comes with all popular third-party
applications like Java, Apple iTunes, Google Chrome etc. This way, Patch Connect Plus saves you from the
daunting task of downloading your favourite applications from the vendor site.
Pre-defined application templates
Patch Connect Plus offers application templates which you can harness to perform basic and some of the widely
used deployment actions while installing third-party applications. These application template include,

• Skipping the deployment process if the application is running.

• Providing an option to uninstall older patches.
• Restricting applications from having a start menu icon.
• Restricting applications from having a taskbar icon.
• Restricting applications from having a desktop shortcut.

Pre/Post deployment scripts

With application deployment, comes the complex task of customizing it to your enterprise's need. Patch Connect
Plus' Application Management helps you run custom scripts to perform pre and post deployment actions. You can
have your script to apply follow-up configurations, change registry settings, create/remove shortcuts,
create/append path, and much more before or after the installation.

Operating System Deployment using SCCM

You can use Configuration Manager to deploy operating systems in a number of different ways. Use
the information in this section to understand how to deploy operating systems and automate tasks.

The operating system deployment process

Configuration Manager provides several methods that you can use to deploy an operating system.
There are several actions that you must take regardless of the deployment method that you use:

• Identify Windows device drivers that are required to start the boot image or install the
operating system image that you have to deploy.
• Identify the boot image that you want to use to start the destination computer.
• Use a task sequence to capture an image of the operating system that you will deploy.
Alternatively, you can use a default operating system image.
• Distribute the boot image, operating system image, and any related content to a
distribution point.
• Create a task sequence with the steps to deploy the boot image and the operating
system image.
• Deploy the task sequence to a collection of computers.
• Monitor the deployment.

Operating system deployment scenarios

There are many operating system deployment scenarios in Configuration Manager that you can
choose from depending on your environment and the purpose for the operating system installation.
For example, you can partition and format an existing computer with a new version of Windows or
upgrade Windows to the latest version. To help you determine the deployment method that meets
your needs, review Scenarios to deploy enterprise operating systems. You can choose from the
following operating system deployment scenarios:

• Upgrade Windows to the latest version

• Refresh an existing computer with a new version of Windows
• Install a new version of Windows on a new computer (bare metal)
• Replace an existing computer and transfer settings

Methods to deploy operating systems

There are several methods that you can use to deploy operating systems to Configuration Manager
client computers.

• PXE initiated deployments: PXE-initiated deployments let client computers request a

deployment over the network. In this method of deployment, the operating system
image and a Windows PE boot image are sent to a distribution point that is configured
to accept PXE boot requests. For more information, see Use PXE to deploy Windows
over the network with Configuration Manager.
• Make operating systems available in Software Center: You can deploy an operating
system and make it available in the Software Center. Configuration Manager clients can
initiate the operating system installation from Software Center. For more information,
see Replace an existing computer and transfer settings.
• Multicast deployments: Multicast deployments conserve network bandwidth by
concurrently sending data to multiple clients instead of sending a copy of the data to
each client over a separate connection. In this method of deployment, the operating
system image is sent to a distribution point. This in turn deploys the image when client
computers request the deployment. For more information, see Use multicast to deploy
Windows over the network.
• Bootable media deployments: Bootable media deployments let you deploy the
operating system when the destination computer starts. When the destination computer
starts, it retrieves the task sequence, the operating system image, and any other
required content from the network. Because that content is not included on the media,
you can update the content without having to re-create the media. For more
information, see Create bootable media.
• Stand-alone media deployments: Stand-alone media deployments let you deploy
operating systems in the following conditions:
o In environments where it is not practical to copy an operating system image or
other large packages over the network.
o In environments without network connectivity or low bandwidth network
connectivity.

For more information, see Create stand-alone media.

• Pre-staged media deployments: Pre-staged media deployments let you deploy an

operating system to a computer that is not fully provisioned. The pre-staged media is a
Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by
 the manufacturer or at an enterprise staging center that is not connected to the
Configuration Manager environment.

Later in the Configuration Manager environment, the computer starts by using the boot
image provided by the media, and then connects to the site management point for
available task sequences that complete the download process. This method of
deployment can reduce network traffic because the boot image and operating system
image are already on the destination computer. You can specify applications, packages,
and driver packages to include in the pre-staged media. For more information,
see Create prestaged media.

Boot images

A boot image in Configuration Manager is a Windows PE (WinPE) image that is used during an
operating system deployment. Boot images are used to start a computer in WinPE, which is a
minimal operating system with limited components and services that prepare the destination
computer for Windows installation. Configuration Manager provides two boot images: One to
support x86 platforms and one to support x64 platforms. These are considered default boot images.
Boot images that you create and add to Configuration Manager are considered custom images.
Default boot images can be automatically replaced when you update Configuration Manager. For
more information about boot images, see Manage boot images.

Operating system images

Operating system images in Configuration Manager are stored in the Windows Imaging (WIM) file
format and represent a compressed collection of reference files and folders that are required to
successfully install and configure an operating system on a computer. For all operating system
deployment scenarios, you must select an operating system image. You can use the default
operating system image or build the operating system image from a reference computer that you
configure. For more information, see Manage operating system images.

Operating system upgrade packages

Operating system upgrade packages are used to upgrade an operating system and are setup-
initiated operating system deployments. You import operating system upgrade packages to
Configuration Manager from a DVD or mounted ISO file. For more information, see Manage
operating system upgrade packages.

Media to deploy operating systems

You can create several kinds of media that can be used to deploy operating systems. This includes
capture media that is used to capture operating system images and stand-alone, pre-staged, and
bootable media that is used to deploy an operating system. By using media, you can deploy
operating systems on computers that do not have a network connection or that have a low
bandwidth connection to your Configuration Manager site. For more information about how to use
media, see Create task sequence media.

Device drivers

You can install device drivers on destination computers without including them in the operating
system image that is being deployed. Configuration Manager provides a driver catalog that contains
references to all the device drivers that you import into Configuration Manager. The driver catalog is
located in the Software Library workspace and consists of two nodes: Drivers and Driver
Packages. The Drivers node lists all the drivers that you have imported into the driver catalog. You
can use this node to discover the details about each imported driver, to change what driver package
or boot image a driver belongs to, to enable or disable a driver, and more. For more information,
see Manage drivers.

Save and restore user state

When you deploy operating systems, you can save the user state from the destination computer,
deploy the operating system, and then restore the user state after the operating systems is
deployed. This process is typically used when you install the operating system on a Configuration
Manager client computer.

The user state information is captured and restored by using task sequences. When the user state
information is captured, the information can be stored in one of the following ways:

• You can store the user state data remotely by configuring a state migration point. The
Capture task sequence sends the data to the state migration point. Then, after the
operating system is deployed, the Restore task sequence retrieves the data and restores
the user state on the destination computer.
• You can store the user state data locally to a specific location. In this scenario, the
Capture task sequence copies the user data to a specific location on the destination
computer. Then, after the operating system is deployed, the Restore task sequence
retrieves the user data from that location.
• You can specify hard links that can be used to restore the user data to its original
location. In this scenario, the user state data remains on the drive when the old
operating system is removed. Then, after the operating system is deployed, the Restore
task sequence uses the hard links to restore the user state data to its original location.

For more information Manage user state.

Deploy to unknown computers

You can deploy an operating system to computers that are not managed by Configuration Manager.
There is no record of these computers in the Configuration Manager database. These computers are
referred to as unknown computers. Unknown computers include the following:

• A computer where the Configuration Manager client is not installed

 • A computer that is not imported into Configuration Manager
• A computer that is not discovered by Configuration Manager

For more information, see Prepare for unknown computer deployments.

Associate users with a computer

When you deploy an operating system, you can associate users with the destination computer to
support user device affinity actions. When you associate a user with the destination computer, the
administrative user can later perform actions on whichever computer is associated with that user,
such as deploying an application to the computer of a specific user. However, when you deploy an
operating system, you cannot deploy the operating system to the computer of a specific user. For
more information, see Associate users with a destination computer.

Use task sequences to automate steps

You can create task sequences to perform a variety of tasks within your Configuration Manager
environment. The actions of the task sequence are defined in the individual steps of the sequence.
When the task sequence is run, the actions of each step are performed at the command-line level
without requiring user intervention. You can use task sequences for the following:

• Create a task sequence to install an operating system

• Create a task sequence for non-operating system deployments
• Create a task sequence to capture an operating system
• Create a task sequence to capture and restore user state
• Create a custom task sequence

Endpoint Protection using SCCM

Endpoint Protection manages antimalware policies and Windows Defender Firewall security for
client computers in your Configuration Manager hierarchy.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:

• Configure antimalware policies, Windows Defender Firewall settings, and manage Microsoft
Defender for Endpoint to selected groups of computers.
• Use Configuration Manager software updates to download the latest antimalware definition files
to keep client computers up to date.
• Send email notifications, use in-console monitoring, and view reports. These actions inform
administrative users when malware is detected on client computers.

Beginning with Windows 10 and Windows Server 2016 computers, Microsoft Defender Antivirus is
already installed. For these operating systems, a management client for Microsoft Defender Antivirus
is installed when the Configuration Manager client installs. On Windows 8.1 and earlier computers,
the Endpoint Protection client is installed with the Configuration Manager client. Microsoft Defender
Antivirus and the Endpoint Protection client have the following capabilities:

• Malware and spyware detection and remediation

• Rootkit detection and remediation
• Critical vulnerability assessment and automatic definition and engine updates
• Network vulnerability detection through Network Inspection System
• Integration with Cloud Protection Service to report malware to Microsoft. When you join this
service, the Endpoint Protection client or Microsoft Defender Antivirus downloads the latest
definitions from the Malware Protection Center when unidentified malware is detected on a
computer.

The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual
machines with supported operating systems. To prevent excessive CPU usage, Endpoint Protection
actions have a built-in randomized delay so that protection services do not run simultaneously.

You can also manage Windows Defender Firewall settings with Endpoint Protection in the
Configuration Manager console.

Manage malware

Endpoint Protection in Configuration Manager allows you to create antimalware policies that
contain settings for Endpoint Protection client configurations. Deploy these antimalware policies to
client computers. Then monitor compliance in the Endpoint Protection Status node
under Security in the Monitoring workspace. Also use Endpoint Protection reports in
the Reporting node.

Manage Windows Defender Firewall

Endpoint Protection in Configuration Manager provides basic management of the Windows

Defender Firewall on client computers. For each network profile, you can configure the following
settings:

• Enable or disable the Windows Defender Firewall.

• Block incoming connections, including connections in the list of allowed programs.
• Notify the user when Windows Defender Firewall blocks a new program.

Endpoint Protection supports managing the Windows Defender Firewall only.

Microsoft Defender for Endpoint

Configuration Manager manages and monitors Microsoft Defender for Endpoint, formerly known as
Windows Defender for Endpoint. The Microsoft Defender for Endpoint service helps you detect,
investigate, and respond to advanced attacks on your network. For more information, see Microsoft
Defender for Endpoints.
Endpoint Protection workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection
in your Configuration Manager hierarchy.

Recommendations

Use the following recommendations for Endpoint Protection in Configuration Manager.

Configure custom client settings

When you configure client settings for Endpoint Protection, don't use the default client settings. The
defaults apply settings to all computers in your hierarchy. Instead, configure custom client settings
and assign these settings to collections of computers in your hierarchy.

When you configure custom client settings, you can do the following:

• Customize antimalware and security settings for different parts of your organization.
• Test the effects of running Endpoint Protection on a small group of computers before you
deploy it to the entire hierarchy.
• Add more clients to the collection over time to phase your deployment of the Endpoint
Protection settings.

Distributing definition updates by using software updates

If you use Configuration Manager software updates to distribute definition updates, put definition
updates in a package that doesn't include other software updates. This practice keeps the size of the
definition update package smaller which allows it to replicate to distribution points more quickly.