Windows System Center 2012: The review

System Center Endpoint Protection

System Center Endpoint Protection (SCEP, formerly Forefront Endpoint Protection) is Microsoft's anti-malware offering. Forefront is a good enterprise product. It is easy to deploy, easy to monitor, has a great centralized system for doing things and generally does exactly what you'd expect from a fully mature enterprise-class anti-malware system.

It's hard to get excited about such a thing; harder still to review any anti-malware product without overcoming my cynicism regarding the entire anti-malware industry. Banging on about detection rates or holding up one company's PR spin about approach to security as somehow less full of crap than the other is pointless.

Forefront won't catch everything … but neither will anyone else's offering. Forefront is about as good as the competition. If Hyper-V is your hypervisor, SCEP's integration with Microsoft's products will be a big asset. If VMware is your hypervisor, take the time to talk to VMware about which endpoint protection integrates best with VMware's offerings for your workloads.

Although anti-malware bores me in general, I am impressed by the feature upgrades that SP1 brings to SCEP 2012. There are finally anti-malware agents for Linux and OS X. Linux support is news well-received: many of my clients run Linux file and web servers. An infected Linux machine in the wild is rare, but it's wonderful to have properly managed enterprise anti-malware able to scan the file system for malware which could affect more frequently compromised operating systems.

SCEP is a nice-to-have. If you are already paying for System Center, use it. If you are thinking of getting System Center just for SCEP, it's worth your time to consider other options; the competition is just as good and a lot cheaper.

System Center Virtual Machine Manager

System Center Virtual Machine Manager (SCVMM) is the heavy hitter of the System Center suite. Many shops will buy System Center just to get at SCCM or SCOM, but it is SCVMM that rightly grabs the spotlight.

SCVMM is the very core of Microsoft's private cloud offering, something I've previously reviewed. (Part 1, Part 2, Part 3.)

A lot of what's new and sexy with Microsoft virtualization is thanks to improvements in Hyper-V. These improvements are free: you can go download Hyper-V free from Microsoft and set yourself up a 64 node cluster if you want. Microsoft is betting that you'll choose to pay for the management tools, and I'd say that's a safe bet.

Attempting to configure a Hyper-V "free" cluster has been known to cause binge drinking. I don't even want to contemplate what the long-term impacts of maintaining a Hyper-V data center without SCVMM would be.

SCVMM takes the pain away. With the 2012 virtualization stack, Microsoft finally goes toe-to-toe with VMware. Where SCVMM may lack something, the rest of the System Center suite – which you get when you pay for SCVMM – fill in the gaps. Microsoft is so confident in the power and capability of its management tools that it has put a great deal of effort into making them capable of running heterogeneous virtualized environments.

If you haven't used SCVMM 2012 and do anything involving virtualization then it is time to knock together a test lab.

Licensing

If you print all 178 pages of Microsoft's product use rights document, according to internet legend, your printer will chant "ph'nglui mglw'nafh Cthulhu Redmond wgah'nagl fhtagn." The incomprehensibility! the cosmic horror!

Loathing for Microsoft's licensing department is hard fought and well earned. Curiously, at least one of that department's damned souls appears not to have gotten the memo. Microsoft has published both a System Center licensing Datasheet and an FAQ. The licensing is still unnecessarily byzantine, but at least someone is trying to make it comprehensible.

In the brave new world of 2012 we have Operating System Environments (OSEs) and Machine Licenses (MLs). OSEs are exactly what they sound like; an instance of an operating system, virtual or otherwise. MLs can be client, or server. Client MLs can be thought of as "per device CALs," though Microsoft doesn't use that terminology.

Server MLs are "per processor socket licenses", except that Microsoft now licenses in packs of two. This makes sense; the overwhelming majority of servers deployed are 2P systems. You can combine server MLs on a single system; two server MLs gives licenses for four processors allowing you to properly licenses a 4P system when a specific 4P ML doesn't exist. You cannot split a server ML; no licensing two 1P systems with a single server ML.

Datacenter ($3607) allows you to run unlimited OSEs, provided you have enough MLs to cover your socket count. Standard ($1323) allows you 2 OSEs; Microsoft claims the break-even point for getting Datacenter instead of Standard is at 7VMs on a given host.

System Center 2012 has three different client ML packs. Endpoint Protection (SCEP, $22), Configuration Manager (SCCM and SCVMM, $62) and the Client Management Suite Client ML (SCCM, SCOM, SCDPM, SCO, $121). The Core CAL Suite includes the Configuration Manager Endpoint Protection Client MLs. The Enterprise CAL Suite. Includes all three System Center 2012 Client MLs.

When you put the cost of Windows Server Datacenter licensing together with System Center, Microsoft is asking a significant chunk of change for each server in your data center before applications are even installed. Between CALs and client MLs, Microsoft also requires a tax on each user and device that accesses infrastructure managed by its software.

Summary

In exchange, Microsoft has a solid and credible enterprise offering filled with mature, tested products. The old stereotypes of Windows being unfit and insecure are no longer based in reality, and that's been the case for a while. System Center 2012 marks the first time that Microsoft can provide management and automation software capable of challenging any rival.

This is not the release cycle that will storm the enterprise infrastructure automation world by force, gutting the businesses of established players. The next one, however, probably will. ®

Trevor Pott is a systems administrator based in Edmonton, Canada.