Microsoft Uses System Center To Manage 300,000 PCs
Microsoft recently offered some perspective about its own use of System Center Configuration Manager (SCCM) to deploy and test the software it produces.
The company regularly uses its SCCM product to deploy Microsoft software patches across the company's facilities worldwide prior to the release of its public "patch Tuesday" security updates each month. The scale of the company's use of SCCM was recently discussed in two Microsoft-produced podcasts issued this month featuring Brad Anderson, Microsoft corporate vice president for Enterprise Mobility, and Kelly Pranghofer, who oversees Microsoft's SCCM use. Pranghofer also oversees Microsoft Intune use for the company's mobile device management needs, as well as the management of Microsoft's RemoteApp service, which facilitates access to apps running on remote servers.
Pranghofer said that Microsoft uses SCCM to manage 300,000 PCs, with about 70 percent of that total representing Windows 8.1 deployments. About 13 percent to 14 percent of that total represents machines running Windows Server.
Microsoft's goal when releasing its patch software internally, prior to patch Tuesday public releases, is to hit 98 percent of its 300,000 PCs over a period of seven days, Pranghofer explained. The company has five primary sites around the world for its software patching, along with 12 or 13 secondary sites, plus 350 distribution servers.
For each patch release deployment, the team deploys to about 10,000 PCs initially, which allows them to check for any problems. Microsoft permits this initial test group to suppress reboots for up to seven days, after which the change takes effect. The goal is to get 98 percent compliance from such rollouts.
In addition to testing software patches in advance of public release by simply delivering them down to employees' machines, the team deploys and uses prerelease versions of SCCM software. Pranghofer explained during the talk that Microsoft has already deployed "Service Pack 2" across the company. Presumably he was referring to System Center 2012 R2 SP2, which isn't available publicly, nor is SP1. He said that the deployment of SP2 took place over a single weekend, adding that organizations can deploy new System Center software quickly if they want to do so, although many would typically take months to do it.
On the mobile side, Microsoft currently has 30,000 devices under management. Of that total, 65 percent to 75 percent are Windows Phone devices. However, Pranghofer noted that Microsoft is permissive about allowing its employees to use non-Microsoft devices, including iOS- and Android-based devices.
Microsoft's wireless network for employees is split into two parts: one that connects to the public Internet, with another that connects to the corporate network. Accessing the corporate Wi-Fi network requires a device to have a certificate and be managed via Microsoft Intune, Pranghofer said. Accessing the virtual private network at Microsoft requires that a device have a certificate and pass a multifactor authentication test.
Pranghofer said that in the next couple of months, Microsoft is going to require "conditional access" for its devices. With the conditional access approach, a device has to meet certain requirements and be managed in order for network access to be granted.
Anderson and Pranghofer concluded their discussion by asserting that SCCM has gone beyond being a patch management tool. It's becoming more of a core critical business system for Microsoft, they contended.
Pranghofer said he has overseen Microsoft's internal SCCM practices since 2005. Anderson noted that Microsoft recently moved its System Center team out of the IT department and into the engineering team and Pranghofer noted that this shift has helped the SCCM team to better address scale issues with its management tools, as well as circumstances where there might be some feature gaps.
Part 1 of the podcast can be accessed here, with Part 2 at this page. Each podcast is about 12 minutes long.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.